With a variety of high profile breaches like those at Google and Adobe dominating the start of

2010, I wonder what will the rest of the year bring in terms of cyberwar. Who was behind those
attacks is not as important as the fact that large companies admit to breaches publicly. Admitting
there's a problem is a significant step towards dealing with it. I expect more public disclosures and
a wider revelation of the issue. One of the following issues of (IN)SECURE will have cyberwar as
a theme, so if you have something to say about it, do let me know.

As concerns other content, expect coverage from several global events in the near future. As
silver media sponsors, once again weʼll be covering the extensive RSA Conference in San
Francisco. After that weʼre heading to InfosecWorld in Orlando and Infosecurity in London. Thatʼs
just in the next few months, we have a few more surprises lined up for the rest of the year.

Mirko Zorz
Editor in Chief

Visit the magazine website at www.insecuremag.com

(IN)SECURE Magazine contacts

Feedback and contributions: Mirko Zorz, Editor in Chief - editor@insecuremag.com
News: Zeljka Zorz, News Editor - news.editor@insecuremag.com
Marketing: Berislav Kucan, Director of Marketing - marketing@insecuremag.com

Distribution
(IN)SECURE Magazine can be freely distributed in the form of the original, non modified PDF
document. Distribution of modified versions of (IN)SECURE Magazine content is prohibited
without the explicit permission from the editor.

Copyright HNS Consulting Ltd. 2010.

www.insecuremag.com
 25 million new malware strains in one year

The outstanding trend of the last 12 months has been the pro-
lific production of new malware: 25 million new strains were
created in just one year, compared to a combined total of 15
million throughout the last 20 years. This latest surge of activ-
ity included countless new examples of banker Trojans as
well as a host of rogueware.

As regards malware distribution channels, social networks

(mainly Facebook, Twitter, YouTube or Digg), and SEO at-
tacks (directing users to malware-laden websites) have been
favored by cyber-criminals, who have been consolidating underground business models to in-
crease revenues. (www.net-security.org/malware_news.php?id=1185)

Cybersecurity expert: Job guaranteed

With the proliferation of computer threats computer security has become one
whose experts are in great demand and has gained quite an aura of "cool-
ness".

According to the New York Times, the demand is for experts is great, but luck-
ily, some schools and universities are ready to train good candidates for the
job: the N.Y.U. Polytechnic, Carnegie Mellon, Purdue and George Mason are
just some of the universities offering a master's degree in cybersecurity. Georgia Tech is planning
to start an online degree in information security later this year.
(www.net-security.org/secworld.php?id=8677).

www.insecuremag.com ! ! 5
 Rogue Android banking applications

Following a couple of announcements made in December by the likes of Travis Credit

Union and First Tech Credit Union, a big brouhaha was raised about some mobile
banking applications for Android-based mobile devices that seem to have been devel-
oped with the intention of phishing account and login information.
(www.net-security.org/secworld.php?id=8692)

Entrust updates PKI platform, adds Linux support

With the introduction of Entrust Authority Security Manager 8.0, Entrust cus-
tomers can implement one of the most trusted PKI security solutions available
on the Red Hat Enterprise Linux platform. This release introduces Entrust to the
open-source platform market and expands the potential overall installation base for the PKI solu-
tion. (www.entrust.com)

Continuing evolution of Internet threats

Spammers continue to be cutting-edge marketers,

this time taking advantage of the reputations of
global brands, such as UPS, DHL and Facebook, to
prompt opening of emails. These are the findings of
the latest Commtouch Internet Threats Trend report.
During this past quarter, cybercriminals focused on
distributing the Mal-Bredo A virus. While the number
of variants decreased from 10,000 to 1,000 as com-
pared to last quarter, it was spread with much more
virulence.
(www.net-security.org/malware_news.php?id=1198)

Software testing firm says no to responsible disclosure

Evgeny Legerov, founder of Intevydis, a Moscow-based company that designs

tools for testing software and provides pentesting and code review services, has
announced that the company has changed its position regarding responsible
disclosure policy and that they plan to make public a large batch of vulnerabili-
ties. (www.net-security.org/secworld.php?id=8702)

Top 10 information security threats for 2010

"The start of a new year is a great time for companies to evaluate their informa-
tion security practices and begin thinking about what threats they'll be facing in
the coming year," said Kevin Prince, CTO, Perimeter E-Security. "As these secu-
rity threats are becoming more serious and difficult to detect, it is vital for compa-
nies to understand what they can do to best protect their systems and informa-
tion. (www.net-security.org/secworld.php?id=8709)

www.insecuremag.com ! ! 6
 Google hacked, plans to leave China

Although it does face a variety of cyber attacks on a regular basis, Google ac-
knowledged the theft of intellectual property following a sophisticated attack
on their infrastructure originating from China. Investigation of the incident un-
covered a more serious problem - at least twenty other large companies have
been targeted as well. These are not only IT companies but doing business in a variety of sectors
- finance, media, technology, etc. (www.net-security.org/secworld.php?id=8703)

Online cybercriminal DarkMarket closed, founder arrested

Who would have thought that Renukanth Subramaniam, a 33-year old

former pizza bar worker and dispatch courier, was the founder and one
of the site operators of DarkMarket, the famous cybercriminal forum-
slash-online market? And that his base of operations was a Java Bean
internet cafe in Wembley, London? But, yes - there was a hint that such
a thing is possible: Subramaniam (aka JiLsi) used to be part of Shad-
owCrew, a similar website that was closed down in 2004 by the US Se-
cret Service. (www.net-security.org/secworld.php?id=8718)

D-Link routers vulnerability allows hackers to reconfigure admin settings

SourceSec Security Research have discovered a vulnerability

in D-Link routers that allows outsiders and insiders to access
and edit the router settings without having to use admin login
credentials. This can be done because the routers have an
additional administrative interface, which uses the (inse-
curely) implemented Home Network Administration Protocol.
Just the fact that the HNAP is present on the routers is
enough to allow attackers to bypass the CAPTCHA login fea-
tures. (www.net-security.org/secworld.php?id=8727)

Networks Solutions breached, hundreds of sites defaced

Network Solutions, the well-known U.S. hosting provider and domain registrar
that manages over 6.6 million domain names, confirmed on Tuesday that their
servers have been breached and that a few hundred of their customer's web
sites have been defaced by unknown attackers who have replaced the home
pages with images of guns and writings containing anti-Israeli sentiments.
(www.net-security.org/secworld.php?id=8737)

Encryption challenge worth $100K

News that an encrypted swiss army knife from manufacturers Victorinox remained
uncracked - and a $100,000 prize went unclaimed - at the CES in Las Vegas
comes as no surprise. And, says Andy Cordial, managing director of Origin Stor-
age, even if someone had cracked the 2010 version of the famous swiss army
knife, they would have obtained a lot more than $100,000 from other sources.
(www.net-security.org/secworld.php?id=8744)

www.insecuremag.com ! ! 7
 Analysis of 32 million breached passwords

Imperva released a study analyzing 32 million

passwords exposed in the Rockyou.com breach.
The data provides a glimpse into the way that users
select passwords and an opportunity to evaluate the
true strength of these as a security mechanism. In
the past, password studies have focused mostly on
surveys. Never before has there been such a high
volume of real-world passwords to examine.
(www.net-security.org/secworld.php?id=8742)

Hiding from Google

Worried about Google tracking your online activity? Not satisfied with Tor's
speed? A (partial) solution to your problem has been set up by Moxie Mar-
linspike, a hacker that has a history of bringing to light SSL protocol weak-
nesses and a member of the Institute for Disruptive Studies, a group of hack-
ers based in Pittsburgh. He put together an proxy service he calls GoogleShar-
ing, that aims to anonymize all your searches and movements inside and from
Google online services that don't require you to login into your Google account.
(www.net-security.org/secworld.php?id=8738)

Using spam to beat spam

How to make a spam filter that will not block any legitimate email? A team at
the International Computer Science Institute and the University of California
researched the ways that spam tricks existing filters and realized that spam
sent by botnets is usually generated from a template that defines what the con-
tent of the email and the changes it goes through to fool filters. They worked
under the conviction that this template might be discovered by analyzing the
multitude of emails sent by a bot. (www.net-security.org/secworld.php?id=8765)

Data breach costs increase

The 2009 Ponemon Institute benchmark study examines the costs incurred by 45 or-
ganizations after experiencing a data breach. Results represent cost estimates for
activities resulting from actual data loss incidents. Breaches included in the survey
ranged from approximately 5,000 records to more than 101,000 records from 15 dif-
ferent industry sectors. (www.net-security.org/secworld.php?id=8766)

US oil industry targeted by cyber attacks

ExxonMobil, Marathon Oil and ConocoPhillips are just three of the US companies
that have been breached in the last few years by cybercriminals that left some
clues pointing in the direction of the Middle Kingdom.
(www.net-security.org/secworld.php?id=8774)

www.insecuremag.com ! ! 8
 Hacker attacks on healthcare organizations double

SecureWorks reported that attempted hacker attacks launched at its healthcare

clients doubled in the fourth quarter of 2009. Attempted attacks increased from
an average of 6,500 per healthcare client per day in the first nine months of 2009
to an average of 13,400 per client per day in the last three months of 2009.
(www.net-security.org/secworld.php?id=8780)

Digital fingerprints to identify hackers

How can you retaliate against a cyber attacker if you don't know who he is? As
we have witnessed lately, attribution of an attack is quickly becoming one of
the biggest problems that the US defense and cyber security community are
facing at the moment. DARPA, the agency of the US DoD responsible for the
development of new technology for use by the military - and of the Internet -
will be starting Cyber Genome, a project aimed at developing a cyber equiva-
lent of fingerprints or DNA so that the hacker can be conclusively identified.
(www.net-security.org/secworld.php?id=8784)

IE vulnerability offers your files to hackers

Jorge Luis Alvarez Medina, a security consultant working for Core Security, has
discovered a string of vulnerabilities in Internet Explorer that make it possible
for an attacker to gain access to your C drive - complete with files, authentica-
tion and HTTP cookies, session management data, etc.
(www.net-security.org/secworld.php?id=8793)

Tor Project infrastructure breached, users advised to upgrade

Tor users have been advised to upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha, follow-
ing a security breach that left two of the seven directory authorities compromised
(moria1 and gabelmoo). According to Roger Dingledine, Tor's original developer
and current Director, another new server has been breached along the previously
mentioned two, but it contained only metrics data and graphs.
(www.net-security.org/secworld.php?id=8756)

Criminal found through World of Warcraft

It seems that law enforcement agencies are getting more crea-

tive with ways of leveraging dug up information about wanted
criminals. Using the knowledge of a previously seemingly incon-
sequential detail such as a game that the suspect is addicted to,
Matt Robertson, a sheriff's deputy from Howard County has
been able to zero in on the location of a man that has run off to
Canada to avoid getting arrested and charged for dealing with controlled substances and mari-
juana. (www.net-security.org/secworld.php?id=8667)

www.insecuremag.com ! ! 9
 Since its inception in 1998, SOAP has become an essential part of virtually all
approaches to Web services. What started out as an acronym for ʻSimple Ob-
ject Access Protocolʼ, is a common solution for corporate information inter-
change today. However, many businesses fail when it comes to securing con-
fidential data during transfer across public networks. WS-Security offers
means for applying security to Web services and protecting private data.

I have been working for a German telephone SOAP Web services

company recently and my last project included
writing a secure Web service for electronic
data interchange with PHP. In accordance with
current legal provisions and historical devel-
opments, the German Telecom owns the lionʼs
share of the domestic telephone network. But,
the law requires them to make the subscriber
line available to competitors.
Even though the German telephone market
was liberalized in early 1998 to promote a self-
supporting competition, small and medium-
sized network carriers are still dependent on
the German Telecom for clearance of local
loop faults. In the past, facsimile communica-
tion was used to handle problems on the so-
called last mile. Also, the German Telecom in-
troduced a SOAP gateway for electronic data
exchange four years ago, aiming to streamline
workflow and improve reliability.
Dave Winer, Don Box, Bob Atkinson and
Mohsen Al-Ghosein originally designed SOAP
in 1998 with backing from IBM and Microsoft.
SOAP once stood for ʻSimple Object Access
Protocolʼ, but this acronym was dropped with
version 1.2 of the standard. Now SOAP is the
brand name for a W3C recommendation, cur-
rently being maintained by the XML Protocol
Working Group of the World Wide Web Con-
sortium.
SOAP is a communications protocol for struc-
tured information interchange. It is based on
XML, allowing message negotiation and
transmission. Furthermore, it is commonly be-
ing used for remote method invocation in dis-
tributed systems and large network environ-
ments.

www.insecuremag.com 10
 Even though most standard stacks use a
combination of HTTP and TCP for data ex-
change, SOAP is not bound to a specific ap-
plication or transport protocol. Quite the con-
trary – it allows a wide variety of different pro-
tocols for message transfer, e.g. SMTP or
HTTPS.
Web service security
To improve Web service security, the Organi-
zation for the Advancement of Structured In-
formation Standards (OASIS) released WS-
Security 1.0 in April 2004. This protocol pro-
vides additional means for applying security to
Web services, namely by enforcing integrity
and confidentiality.
The specification describes how to attach se-
curity tokens and digital signatures to the
header of a SOAP message (including X.509,
Kerberos, SAML and XrML). Furthermore,
WS-Security allows full or partial encryption of
data. Since WSS is working in the application
layer, it ensures reliable end-to-end security.
The current WS-Security standard complies
with a couple of well-established security re-
quirements. The most important ones are
listed below.
Integrity
All outbound messages can be signed digitally
to ensure that the receiver takes notice of any
manipulation attempts during transmission, i.e.
man-in-the-middle attacks. Moreover, it is
possible to attach timestamps to all outgoing
SOAP messages in order to limit their time-to-
live. That way a service provider is able to
prevent fraudulent use of his applications.
Identification
Digital certificates and the WS-Security User-
name Token Profile help proving the identity of
individual Web service consumers. Addition-
ally, HTTPS may also be used to safeguard a
service against identity theft.
Authentication
In almost the same manner, certificates – no
matter whether they are embedded into the
SOAP header or being used for HTTPS – can
confirm the identity of a Web service
consumer.
www.insecuremag.com
Authorization
Depending on the underlying application, a
userʼs signature may be used for access con-
trol as well, e.g. validating a customer against
a back-end database. Thus a Web service
provider can allow or disallow execution of
certain transactions depending upon the re-
questerʼs identity.
Confidentiality
If you deal with sensitive information (e.g.
telephone connection data or customer-
related records) and have to send them
across public networks, you might want to en-
crypt them beforehand. With SOAP, you can
either do this via HTTPS on the transport layer
or use WSS/XML Encryption in the message
header. The latter method allows the encryp-
tion of an entire SOAP message or single XML
nodes only.
Non-repudiation
Both sender and receiver must be able to pro-
vide legal proof to a third party (e.g. judge),
that the sender did send a transaction and the
receiver received the identical transaction.
Usually non-repudiation is ensured by a com-
bination of integrity, identification and authen-
tication.
Suitable SOAP extensions for PHP
The official SOAP extension of PHP 5 can be
used to write SOAP servers and clients. It
supports subsets of SOAP 1.1, SOAP 1.2 and
WSDL 1.1 specifications. However it does not
include any support for WS-Security yet.
While WSS is quite widespread among Java
and .NET developers, most SOAP libraries for
PHP lack a proper WSS implementation. Nei-
ther NuSOAP (which is discontinued anyway)
nor PEAR::SOAP offer built-in functionality for
security-enabled Web services.
Actually, I did not find any appropriate SOAP
implementation with WSS support for PHP
during my research. There are a couple of
third party solutions on the PHP Classes web-
site (www.phpclasses.org), but none of them
met my needs.
Furthermore, I wanted to go for the official
SOAP extension of PHP 5 for better upward
compatibility and less dependencies.
11
 PHP library for XML security Altering outbound SOAP messages

Finally I found xmlseclibs on Google Code
(code.google.com/p/xmlseclibs), which is a
PHP library for XML security. It is maintained
by a developer called Rob Richards and offers
an object-oriented approach to use WS-
Security with PHP:SOAP.
The official SOAP extension of PHP 5 consists
of two major classes for SOAP communica-
tion. The purpose of SoapClient is providing
a client for SOAP 1.1 and SOAP 1.2 servers. It
can either run in WSDL or non-WSDL mode.
SoapServer can be used accordingly to write
a server for the SOAP 1.1 and SOAP 1.2 pro-
tocols.
When sending a SOAP request over HTTP,
SoapClient::__doRequest() is called
internally. The function can be redefined in
subclasses to implement different transport
layers or perform additional XML processing.
This means that we can exert influence on the
SOAP header being sent, simply by overriding
the above-named method.
Through this mechanism xmlseclibs can en-
gage with the data interchange process of
PHP:SOAP. The following code listing shows
how this is done technically.

class SecureSoapClient extends SoapClient

{
public function __doRequest($request, $location, $action, $version, $one_way = 0)
{
// Create DOMDocument from SOAP request
$dom = new DOMDocument();
$dom->preserveWhiteSpace = false;
@$dom->loadXML($request);

// Create new XMLSecurityKey object and load private key

$securityKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1,
array('type' => 'private'));
$securityKey->loadKey(KEY_FILE_NAME, true);

// Create new WSS header object

$wssHeader = new WSSESoap($dom);

// Add Timestamp to WSS header (message expires in 5 minutes)

$wssHeader->addTimestamp(300);

// Sign message and appropriate header items

$wssHeader->signSoapDoc($securityKey);

// Create BinarySecurityToken from certificate and attach token to the header

$token = $wssHeader->addBinaryToken(file_get_contents(CERT_FILE_NAME));
$wssHeader->attachTokentoSig($token);

// Send SOAP message with WSS header and return response

return parent::__doRequest($wssHeader->saveXML(), $location,
$action, $version, $one_way);
}
}

First off we need to copy the current SOAP
request to a DOMDocument object. This facili-
tates further adaptations to our needs. After-
wards we can create a new XMLSecuri-
tyKey object from our private key file. The
example uses RSA-SHA1 for encryption. Then
we instantiate WSSESoap, an additional class
provided by Rob Richards, to create a WS-
Security header. This enables us to add a
timestamp, sign the SOAP message and at-
tach a BinarySecurityToken to the header suc-
cessively. Finally we pass the arguments – in-
cluding our altered version of the SOAP re-
quest header – to the correspondent method
in the parent class. Given that we will suc-
ceed, the server will reply and send a re-
sponse to our request.
For a more comprehensive example, check
out Rob Richardsʼ website (cdatazone.org).

www.insecuremag.com 12
 Server support still missing
Unfortunately, the ability to write a secure
SOAP server is still missing in xmlseclibs. Be-
cause my project was only supposed to con-
sume a Web service securely, that was no
problem for me. Affected developers might
want to take a look at WSO2 WSF/PHP
(www.wso2.com), which is an open source
framework for providing and consuming Web
services in PHP. The software producer pro-
motes that his extension offers WSS support
for both servers and clients.
But unless you want to develop a secure
SOAP server, I would recommend sticking to
the official SOAP extension of PHP 5 and
xmlseclibs.

EVEN THOUGH PHP STILL LACKS A COMPLETE WSS IMPLEMENTATION, FREE THIRD-
PARTY CLASSES PROVIDE A GOOD BASIS FOR SECURE DATA INTERCHANGE.

Conclusion Furthermore, HTTPS can help preparing a

WS-Security describes enhancements to
SOAP messaging and offers a wide range of
possibilities to protect a Web service through
message integrity and single message
authentication. As a whole, these mechanisms
can be used to accommodate a variety of se-
curity models and encryption technologies.
SOAP Web service for business use.
Even though PHP still lacks a complete WSS
implementation, free third-party classes pro-
vide a good basis for secure data interchange.
By now my project operates in a live environ-
ment, serving a J2EE-based Web service and
successfully conducting numerous transac-
tions every day.

Sascha Seidel graduated in computer science and works as a freelance developer in Germany. He is excited
about a wide variety of computer-related topics, ranging from front-end design to assembler coding. In his
spare time he maintains a community website for application, game and web developers
(www.planet-quellcodes.de).

www.insecuremag.com 13
 Security technology has come a long way in the last 850 years, but we can
still learn a thing or two from our medieval ancestors. After the Norman
conquest of Britain, the new administrative centers and power bases of the
country were quickly strengthened against attack.

Hilltop fortifications were remade as imposing
stone castles, with multiple layers of security
built in. These protected the newly centralized
trade and business operations against theft
and external attacks, and controlled third-
party access – rather like the perimeter de-
fenses, intrusion protection systems and
VPNs of a typical companyʼs network.
And if important figures left the protection of
the castle, they would not only wear body ar-
mor, but also carry a shield for additional, mo-
bile defense against all types of weapon. But
do corporate endpoints – laptop computers
and smartphones – have the same level of
protection?
Unfortunately, it seems that unlike their me-
dieval counterparts, modern mobile workers
are no longer adequately prepared for attacks
when they are away from the relative safety of
the corporate ʻcastleʼ.
Why is this? Well, attack methods are chang-
ing, and the dominant threat to endpoint secu-
rity now combines historically-effective attacks
with newer, more elusive methods of delivery
and infection. As a result, attacks are ex-
tremely difficult to stop, and more serious in
consequence than previous exploits.
New, web-based attacks have emerged and
are becoming more common. And while tradi-
tional endpoint security controls are still im-
portant, they are unable to fully cope with
these new attacks, because they focus on the
wrong things.
New controls are needed: web security must
extend to usersʼ behaviors as well as the PC
software and configuration. Signature-based
methods alone wonʼt stop new attacks, and
neither will simply removing malicious soft-
ware.

www.insecuremag.com 15
 What are these new approaches? Letʼs see in
detail at how enterprise attack vectors are
changing and evolving, the motivations be-
hind them, and how they get around tradi-
tional endpoint security approaches.
Following this, I will look at a new approach to
protecting endpoints against these attacks,
both reactively and pre-emptively.
Battle beyond the browser
One of the key malware developments over
the last 5 years is the move from email-borne
to web-borne attacks. Exposure can occur if a
business PC is used for business or personal
use on the web.
The issue is, organizations often have a false
sense of security, because traditional controls
for protecting enterprise endpoints do not se-
cure against web-based threats. Hereʼs a
small sample of recent incidents in which
criminal hackers have used the Internet as a
platform to distribute their wares:
• In July 2009 web services provider Network
Solutions disclosed that hackers broke into its
servers and stole details of over 573,000 debit
and credit card accounts from its customers.
The company discovered in early June that its
servers had been hacked into by unknown
parties. The servers provide e-commerce
services such as Web site hosting and pay-
ment processing to nearly 4,500 small to mid-
size online stores. The hackers left behind
malicious code, which allowed them to inter-
cept financial information from people who
made purchases at the online stores hosted
on those servers from March to June 09.
• In June 2009, more than 40,000 web sites
were hit by a mass-compromise attack
dubbed Nine Ball that injected malware into
pages and redirected victims to a site that at-
tempted to download further malware.
• May 2009, a series of rapidly spreading web
site compromises known as Gumblar gar-
nered media headlines. Gumblar-infected
sites delivered keyloggers and other malware
to visitors.
www.insecuremag.com
Below the radar
Hacking has evolved from the attention-
grabbing viruses of nearly a decade ago to
the more covert and dangerous affair it is to-
day. The result is that enterprises face more
daunting online threats today, yet are often
less equipped to handle those threats.
In the early 2000s, hacking was generally
characterized by a drive for attention, not fi-
nancial motivation. Though sophisticated Tro-
jan and other attack technology was around, it
was rarely deployed—especially not for finan-
cial gain.
E-mail worms were the norm, and they were
widely reported in the press. They had a
widespread, positive impact: many organiza-
tions responded by deploying desktop and
gateway security applications such as
signature-based antivirus products and fire-
walls, and – crucially – regularly updating ex-
isting security solutions to keep them ahead
of malware authors.
But with changing motivations come new
techniques that take a different approach. So-
phisticated blended threats have joined the
universe of viruses, Trojans, worms, and other
exploits and expanded attack possibilities be-
yond the reach of older exploits.
New web-based attacks have three key prop-
erties:
• Threats are much less noticeable because
they are designed to be silent on the victim
PC. Only a loss of PC performance or stability
might be apparent.
• Threats are targeted and sent in small
batches to avoid detection. Itʼs now rare to
see major headlines accompanying a threat –
the exception being this yearʼs Conficker out-
break, which still has AV researchers puzzled
as to motive.
• Consequences are serious and may in-
clude personal data loss/identity theft, as well
as the silent takeover of individual PCs to
create botnets—thousands of computers that
can be controlled at once to launch large-
scale attacks.
16
 Web-based attacks include “drive-by” down-
loads, PHP and AJAX exploits—all retaining
the worst characteristics of the recent past.
They remain financially motivated, extremely
damaging, and relatively silent and unnotice-
able. Like earlier threats, they are once again
viral and widely distributed.
Many enterprises assume they already have
sufficient Internet security to prevent these
web-based attacks—but remain unprotected.
Unfortunately, most providers of endpoint se-
curity software do not yet offer the appropriate
controls to prevent exploits by todayʼs web-
based threats. Letʼs look at why this is.
New threats get the upper hand
PC-based security software – whether a
single-user suite or a corporate endpoint solu-
tion – is still critically important, but is no
longer enough to combat these new web-
based attacks. Each type of solution arguably
falls short in at least one important way.
Signature solutions
This category of solution includes PC-based
forms of security such as antivirus, anti-
spyware and signature-based IPS. Signature
PC-based security software is still critically important, but is
no longer enough to combat new web-based attacks.
Firewalls
Desktop firewalls are effective against zero-
hour, morphing, and targeted network attacks.
They follow a simple and elegant rule: do not
allow any traffic onto the PC unless the user
and/or administrator specifically allow it.
This “reject all unless known good” rule is in
direct opposition to the signature rule of “allow
all except known bad.” However, there are a
couple of downsides to desktop firewalls.
First, they generally allow user-solicited traffic
on TCP port 80, the standard port used for
HTTP traffic.
www.insecuremag.com
solutions had difficulty keeping up with attacks
a decade ago, and this was before modern
automated, morphing and small-batch custom
attacks were available.
In the face of modern attackware, it is no
wonder that experts and analysts have written
hundreds of articles predicting the decline and
death of antivirus.
As these observers point out, antivirus soft-
ware reacted too late for “Melissa” in 1999,
and for “I Love You” in 2000—all of which
were mass-mailed, relatively low-tech (slowly
morphing) viruses. How can antivirus (and its
cousins anti-spyware, IDS and similar) keep
up with todayʼs viruses and worms that are
blended, and more advanced?
The truth is, they canʼt. Recently, threats have
appeared in small batches (thousands, not
millions of infections) that constantly morph,
change their signature on every PC they hit,
and stay hidden.
While antivirus, anti-spyware and similar se-
curity solutions are useful for “cleanup duty” in
the aftermath of an attack, they are ineffective
as a defense for some zero-hour web-based
attacks.
When the user initiates an HTTP connection,
the firewall acts as a wide-open highway that
brings traffic straight onto the PC. Most stud-
ies show that spyware and other malware ex-
ists on over 80% of PCs running firewalls.
Firewalls are focused on protecting usersʼ
computers, not usersʼ behavior. Similarly, they
do little to prevent direct online contact with
malware.
Desktop firewalls continue to be critical com-
ponents of endpoint security because they
provide network-based protection in a way
that nothing else can. When it comes to web-
based attacks, however, they are not fully ef-
fective.
17
 The need for new security controls
In the face of modern web attacks, new
signature-based security solutions have
emerged that try to protect users online.
These new transaction security products use
signatures of known bad web sites, including
phishing sites and spyware distribution sites.
Some also contain signatures of malicious
web site behaviors. This information allows
them to identify and prevent users from visit-
ing web sites at a more general level, and
keep a more secure environment.
These signature solutions are the first re-
sponse to the new attack types, yet they are
not the most effective. They work as partial
solutions but are no match for the threat envi-
ronment described earlier, in which hackers
design dynamic, morphing threats that get
past signature systems. Just as todayʼs vi-
ruses can bypass antivirus systems, modern
web attacks evade these signature-based
web transaction security products.
This means supplementing the traditional se-
curity ʻarmorʼ for endpoints (firewalls, antivi-
rus, anti-spyware and so on) with additional
protection specifically for the web browser
application.
Just as medieval noblemen would carry a
shield to stop attacks before they hit the body,
so the web browser needs a shield to absorb
attacks, and protect identities and data
against both high-profile and stealthy infiltra-
tion attempts.
The ʻvirtual shieldʼ
There are several technologies that have
emerged to fight web-based attacks without
the use of signatures. These can be classified
into two broad categories:
Manual virtualization systems: These systems
virtualize all or a part of the host computer,
and require that all changes from the Internet
to the PC take place in the virtualized system
itself. In this way, nothing harmful can transfer
from the Internet to the PC.
While this seems like an elegant solution, it
requires the maintenance of both a virtual
machine/file system and an actual one. It also
www.insecuremag.com
requires making ongoing decisions about both
systems—something that the average enter-
prise user is unwilling or unable to do.
Method-blocking systems: This technology
focuses on one or more known browser vul-
nerabilities that allow hackers to target users
with malicious code. For example, cross-site
scripting presents a vulnerability that enables
a hacker to inject malicious code into other
peopleʼs web pages.
A method-blocking system actually interferes
with this feature, thus removing the method by
which these attacks can be carried out. While
these systems are important and necessary,
their shortcoming is that they block only some
methods of attack (usually just one), and
therefore cannot stand on their own against
the sheer breadth of tactics that web-based
attacks employ.
So how are these combined to give the best
protection against newer attacks?
Stopping all Web-based attacks
The first step is taking the correct approach to
virtualization – that is, choosing the right ele-
ments of the OS and relevant applications to
virtualize.
The aim of virtualization is to protect the
userʼs web session by enclosing it in a “bub-
ble of security” as they browse – while keep-
ing the process simple and transparent for the
user. Itʼs a process that can be called preci-
sion emulation.
With this approach, only those parts of the
operating system that the web browser is able
to access need to be virtualized. This means
that there is no large installation, much less
system memory use and associated perform-
ance degradation, and no need for the user to
keep track of multiple operating systems or
file systems. The virtualization engine should
also automatically maintain the virtual system
it creates.
For example, each time a user browses the
web, a number of changes—most of them in-
nocuous—are made to their computer
system.
18
 A specific case is when processing an online
form to become a registered user of a web
site, often the siteʼs server creates a cookie
that is placed onto the userʼs computer.
Under precision emulation, the virtualization
engine should follow a very simple, firewall-
like rule. All user-solicited downloads from the
Internet write to the computer just like normal.
But unsolicited downloads such as drive-bys
write to the emulation layer, never touching
the computer.
The result is that users can browse to any
web site and click on any link without worry
because all unknown or unwanted changes
(from browser exploits and drive-by down-
loads, spyware, and viruses) are made to a
virtualized file system. So only the items the
user purposely downloads are placed on the
endpoint PC.
A closer look at precision emulation
Precision emulation works by intercepting Mi-
crosoft Windows interfaces to directly access
files and registry keys. In doing so, the proc-
ess creates two major components:
• A virtualization engine to creates a duplicate
Windows file and registry system
• A hooking engine to selectively redirect NT
kernel calls to the virtualization engine.
The purpose of the hooking engine is to inter-
cept indiscriminate NT kernel calls. At this
point, it decides if a kernel call was solicited
by the user or was automatic, as in a drive-by
download. The engine determines this based
upon whether or not expected UI calls were
made (user initiated) or not (automated,
drive-by).
User-solicited calls are made to the native
system component as always, so as not to
interrupt the userʼs normal workflow. Unsolic-
ited calls, however, get applied to the virtuali-
zation engine and virtual file and registry sys-
tem, and therefore never reach the actual
computer. At the end of each browsing ses-
Caroline Ikomi is the Technical Director at Check Point (www.checkpoint.com).
www.insecuremag.com
sion, the virtual layer can be reset and
scrubbed to a clean state.
Without this approach, user accounts often
run with administrative privileges, giving ap-
plications freedom to read and write to the
operating system and kernel. This allows ma-
licious code to directly access and harm the
operating system.
Web shield benefits
To conclude, placing a virtual shield around
the browser has three core security benefits.
1. It is signature independent: itʼs a zero-hour
system that employs a simple firewall-like
rule: reject all changes to the userʼs PC
unless the user specifically solicits them.
2. It protects the userʼs PC from the moment
of connection: as web-based attacks can oc-
cur the moment the user encounters a web
site, the shield approach does not passively
wait for malware to transfer from the Internet
to the PC. The virtualization layer shields the
user immediately and through the whole
session.
3. Itʼs unobtrusive: no special setup or main-
tenance on the part of the enterprise adminis-
trator is needed, and all virtualization activity
is invisible to the user and requires zero main-
tenance.
The latest generation of web-based attacks
need a solution that supplements and goes
beyond the best of traditional endpoint de-
fenses, including signature-based security,
updates to virus and spyware eradication
mechanisms, and firewalls. It needs to shield
the browser – the userʼs point of contact with
the Internet – from the endpointʼs operating
system and file system, to stop unauthorized
changes.
After all, if youʼre going to put armor on your
endpoints, why not do what our medieval
ancestors did, and use a shield as well?
19
 How many times have you, as a security professional, explained to your
friends, family or colleagues that using one password for everything is not
ideal and not secure - far from it, actually? Yet the report by CPP suggests
that many Brits do exactly that! A typical response from those “offenders” is:
“It is impossible to remember all those passwords. That is why I use just one
strong password.” Obviously, we know it does not really matter how strong
that one password really is!

In this article I will show you a sensible, af-
fordable and working solution for those who
have a Mac and even an iPhone. I will also
show how I use 1Password for all my pass-
word management, storing sensitive data and
having all that accessible on my iPhone. I
cover the latest version of 1Password 3 which
has been released in November 2009.
My life with 1Password
Before I stumbled upon 1Password I had used
ʻremember passwordʼ feature in Safari or Fire-
fox. This worked fine for web passwords but
was rather limited in functionality. I usually
struggled with generating new passwords for
new websites. The option was either using
one password (oops) or using external pass-
word generators. And then I discovered
1Password!
This software operates as a vault on your Mac
and has plug-ins into major browsers on Mac.
My workflow is now as follows:
1. Go to a registration page
2. Fill in my details, username etc - I use
1Password to fill in my personal details
3. Click on 1Password icon and select Strong
password generator (I always select the
strongest password the website supports)
4. Click Submit in the web form and 1Pass-
word asks me to save the form into its data-
base.
Next time I need to login to the website I sim-
ply click the 1Password icon and select Fill the
login. I usually use Autosubmit so I do not
even need to click Submit on the web form.
(See the figure on the following page).

www.insecuremag.com 21
 Strong password generator
The biggest advantage when using 1Pass-
word is that it can generate strong and unique
passwords for each website. The dialogue is
The random option can be set to generate a
defined number of digits or symbols. This is
useful when generating passwords for sites
that do not support symbols in the password
field.
www.insecuremag.com
very easy to understand. In the Advanced sec-
tion you can choose pronounceable password
or random. I always use random as I really do
not need to remember the website password.
It can also generate a password with only dig-
its if I choose same number of digits as the
password length (limited to 10 digits length).
22
 1Password interface
Although this is not the review of the design
features of 1Password, I just want to present
one screenshot of the interface. This shows
the types of items in the Vault:
• Logins - this contains all web sites that I
saved the password for
• Accounts - this feature stores password and
account information for non web based serv-
ices, like FTP servers, wireless networks,
emails accounts, databases. Although 1Pass-
word cannot automatically fill in the details,
you can copy and paste the information easily.
• Identities - I am fed up with registering on
new websites and filling all details again and
again. Identities allow me to create multiple
identities and then easily fill in the details to a
website. The results are not ideal all the time,
mainly because the standards for naming
conventions of forms elements are not fol-
lowed all the time.
www.insecuremag.com
• Secure notes - Mac OS provides Sticky
Notes for storing unstructured information.
Secure Notes is similar, except it is protected
by 1Password security.
• Software - This is a new feature of 1Pass-
word 3. Simply drag and drop an application
from Applications folder and 1Password will
create a new entry, identify the version num-
ber and add the icon. I use this feature to
store all software licenses.
• Wallet - Another handy feature to fill in credit
cards effortlessly to a web page for payments.
Works 99% of time, with same caveats as ex-
plained in Identities.
Behind the scenes
1Password 3 uses its own keychain type
which offers advantages compared to the Mac
OS X Keychain. See the table on the following
page, taken from 1Passwordʼs website.
23
 When using the Agile keychain, each entry is
a file on the file system. See the screenshot
below. Here is how the file is structured. The
encryption key for the data is derived from the
master password that is used when unlocking
the keychain.
{"keyID":"4E0D436BBF524E47222234102707
B514FF1","locationKey":"theweb.co.uk","encry
pted":"U2FdfRsjddsk463jdgso38hhLNsdGVkX
19jB7GLg2kw+hlRjZEETUNyom8zwACz8rliN/
/BATiS7tbersko8r7lqwehro132iqwegfo8132db
Configuration options
Some indication of 1Passwordʼs qualities can
be demonstrated by the screenshot of the
www.insecuremag.com
ewyi9+RoYqtuSslg==\u0000","typeName":"we
bforms.WebForm","openContents":{"contents
Hash":"39105b88","passwordStrength":46,"us
ernameHash":"dad1289817469123481649643
845244cdf76fed50a84","securityLevel":"SL5","
passwordHash":"673f12f43886923487592347
592345b2c221678cc710f24"},"location":"https:
//consulting-jobs.theweb.co.uk","uuid":"0CBD0
B9345793456B423D5B160","updatedAt":1215
729057,"createdAt":1215729057,"title":"test
Web","folderUuid":"F0CFF318736744349AC9
3FC0F004741E"}
1Password preferences. Here you can set an
auto-lock of 1Password keychain after a cer-
tain time, computer sleep or when screen-
saver is activated.
24
 The option “Never prompt for master pass-
word” is useful for some as it will save 1Pass-
word master password in the Mac OS X Key-
chain. This is automatically unlocked when the
1Password Anywhere
One feature that I do not use but maybe useful
for other users is 1Password Anywhere. As I
explained before, the 1Password chain is a
folder. This folder can be copied on a USB
www.insecuremag.com
user logs in. While Keychain provides strong
security I prefer to unlock 1Password manu-
ally.
memory stick or put in online storage and
used from a web browser. This allows users to
access all information in 1Password from any
modern web browser. The web interface looks
almost exactly the same.
25
 Once unlocked, you can read all information,
but no changes are allowed to the content of
1Password. It would not be wise to have the
1Password data in many places as it is still
vulnerable to offline password cracking at-
tacks. Hence, the master password complexity
is key to the security of your 1Password data.
The problems
1Password works very well in most cases. The
trouble begins with indexed passwords. Take
Direct Line as an example. To login to their
system you have to enter your email address
and postcode. Then on the next page you are
asked to enter the 2nd and 4th character from
your password (for example). 1Password has
no way of knowing which character the web-
site wants. In this case, the workflow is little
more complicated. I need to open 1Password,
look up the website entry and display the
password for it.
Another issue I have with the software is that it
does not work well all the time. This is espe-
www.insecuremag.com
cially true on complex websites where the
login or registration form is driven by java
script. I have had some websites that simply
did not work. To the credit of the developers I
must say that they promptly checked the web-
site and sometimes updated the software in
the next versions.
1Password on the iPhone
I do not always have my Mac with me, but I do
have an iPhone. The perfect companion to
1Password on my Mac is 1Password Touch
Pro. This application synchronizes all 1Pass-
word data to the iPhone.
The security model is slightly different here.
The entry to the 1Password Touch application
is secured by 4-digit passcode.
Each entry in the 1Password database then
has a flag to indicate whether another pass-
word is needed to unlock this entry in1Pass-
word Touch application.
26
 The master password on the iPhone applica-
tion is independent from the Mac version and
is set when 1Password Touch is installed and
run for the first time. In order to access highly
sensitive information, you need to enter 4-digit
passcode and then the master password. If
you feel nervous about having sensitive infor-
mation on your iPhone, you can select only
some folders as seen on the following
screenshot.
The usage of 1Password Touch is straightfor-
ward, with nice features like integrated web
browser with auto-logon capability or copy and
paste.
It securely synchronizes with the desktop ap-
plication using the Bonjour protocol. The sync
setup is relatively easy.

Conclusion The introduction of the iPhone Pro version in

the App Store has enhanced my ability to login
I have been using 1Password for over a year to my websites securely from anywhere.
now and I am impressed with this product. It
has its glitches, but overall I am very satisfied.

Vladimir Jirasek is an experienced security professional currently working as the Security architect in Nokia UK
Ltd. He holds CISSP- ISSAP, ISSMP, CISM and CISA and is the member of the ISSA UK chapter. He can be
reached at vladimir@jirasek.eu and on LinkedIn http://uk.linkedin.com/in/vladimirjirasek

www.insecuremag.com 27
 With todayʼs extensive use of web applications to optimize and digitize the
key processes of companies, most of the sensitive information of the organi-
zation, including customer private data, corporate secrets and other informa-
tion assets that are in danger of being exposed on the Internet.

Identifying the level of risk those applications
represent for a company is a primal task for
information security officers. In an ideal world,
one would be able to look for security bugs in
every single application in the companyʼs in-
ventory to determine the companyʼs overall
security position.
However, full-blown testing would be over-
whelming and too expensive. At the same
time, a timid approach could leave the organi-
zation exposed to a security breach, which
may lead to financial and reputation losses.
A balanced approach is the best way to ade-
quately protect and safeguard the most impor-
tant company assets first. It provides the
overall picture of the companyʼs information
assets exposure and allows the company to
make the right decisions regarding where the
fixing efforts should be spent. This article will
share some key tactics that can help answer
the following questions:
• Where should application security testing
start?
• Which applications are most critical to the
company?
• What kind of testing method should be
used?
• What tool is best for the job?
• What verification requirements should be
considered for the application security policy?
There are no straight answers to these ques-
tions, as an effective approach should be tai-
lored to the specific needs and goals of the
organization and its industry.
What are the biggest risk levels within the
application portfolio?
The first part of the strategy should be to de-
fine what applications pose the highest risk for
the business and, thus, have the highest po-
tential to produce financial loss in the event of
a security breach.

www.insecuremag.com 28
 Identifying those applications is not an easy
task. However, some well-known key indica-
tors could be used as guidelines for ranking:
• Data sensitivity. All the privileged data of the
company, such as intellectual property (IP),
which, if leaked, might damage the organiza-
tionʼs competitiveness.
• Private user data. Disclosure of customer
sensitive information, like credit card informa-
tion, social security numbers or salary, is a
common cause of big losses, as there are
both legal and economic implications.
• Compliance requirements. Rules and regula-
tions, such as SOX, PCI, GLBA or HIPPA, re-
quire additional rigor which may increase the
complexity of application security and data
management.
The formula is appealing due to its simplicity.
The problem, though, is that both probability
and impact are discrete values that are diffi-
cult to measure. But if we take the fundamen-
tal premises that the more exposed the data
is, the more prone it will be to attack—and the
The outcome is pure gold: a simple formula
that can help to quickly prioritize applications
for testing and – as we will see later – also
help to identify what kind of testing should be
used for each type of application.
Like everything else in application security, it
is not bullet-proof. But it is simple and effec-
tive enough to simplify the task of application
risk categorization with a good level of accu-
racy.
www.insecuremag.com
• Data exposure. This is determined by how
accessible the information is for unauthorized
users. Things to consider include where the
application is hosted, (internally or a hosting
service), its accessibility through the Internet
(Is it an open Internet app or is it an Extranet
app?), access restriction (IP restricted, named
people, VPN).
• Potential financial/economic loss. How much
would it cost the company if this application or
its data is compromised?
Identifying riskier applications
A widespread approach to ranking applica-
tions by criticality is the use of a common risk
analysis formula. This is aligned to the finan-
cial loss that might result in the case of a se-
curity breach.
more sensitive the data, the higher the finan-
cial loss, we can use two components that
can be easily measured (information expo-
sure and sensitivity), and end up with a for-
mula that looks like this:
A good practice is to use a reduced number of
values for both factors (anything between 3 to
10 levels) and to group Overall Application
Criticality based on value ranges.
Such is the case in the following example, in
which we use values from 1-4 for exposure
and sensitivity, and then we group them ac-
cording to the results and the following crite-
ria: Low (1-2), Medium (3-5), High (6-8), and
Critical (9-16).
29
 Table 1: Application Criticality Matrix.
Selecting the right testing approach
Once an Application Criticality Matrix has
been established, you may opt to focus first
on those that, as a result of the assessment,
have been classified in the levels of High and
Critical. Now it is time to determine the kind of
testing that should be used, choosing be-
tween a wide range of approaches:
• Depth vs. breadth. Penetration testing or
vulnerability assessment?
• Inside-out vs. outside-in. Do you want to
know the insider threat level or the outsider
one?
www.insecuremag.com
• Timing. At what point(s) in the SDLC will the
assessment be performed? (Rule of thumb:
the earlier, the better)
• Manual, automated or “hybrid” testing?
To identify the best suited approach, OWASP,
a worldwide community focused on improving
security of application software, has published
the Application Security Verification Standard
(ASVS), which serves as a great starting
point. ASVS defines four levels of Web appli-
cation security verification: Automated, Man-
ual Review, Design Verification and Internal
Verification. Each level includes a set of re-
quirements for verifying the effectiveness of
security controls that are being used.
30
 The single tool trap
Scanning tools are an essential part of every
AppSec strategy, and so is choosing the right
one. Fortunately, ASVS provides enough
guidance on what vulnerabilities a tool should
be able to look for.
No one tool can do everything well. According
to an evaluation on application security scan-
ning tools, carried out by the US NSA Center
for Assured Software, the best coverage one
can get with a single tool is detection of
60.3% of the vulnerabilities of an application.
Other studies show similar or lower rates.
While tools are very useful and necessary for
attaining good efficiency levels in application
security testing, trying to create a strategy
around one particular tool may be a mistake.
The application security testing strategy
should leverage the right tools, at the right
place and time.
Verification requirements in the applica-
tion security policy
This OWASP ASVS standard provides
enough information to help define a basic set
of verification requirements that include cov-
erage, rigor and testing methods. With that in
place, it is time to map it to the recently-
created Application Criticality Matrix. For
example:

Note: This is an over-simplified table intended to exemplify the mapping activity.

Take into account that the requirements set
should not be limited to new and existing de-
velopments; organizations should also con-
sider major and minor improvements, acquisi-
tions, and outsourced developments. All the
applicable cases, and the periodicity for the
requirements to be re-verified, should also be
taken into consideration.
Summary
An Application Vulnerability Detection Strat-
egy should be composed by three elements:
Application Criticality Matrix, suitable testing
approaches and verification requirement set.
Once the detection strategy has been cre-
ated, it is time to sell it to top management
using the results of applying risk rating crite-
ria. Add it to any existing application or infor-
mation security policies, and communicate the
changes to the company. It is not until this
point that the “dirty” work of testing the appli-
cations should start.
There is much more to be done for an appli-
cation security program to become a real and
full-blown solution for any company; however,
these guidelines can serve as a starting point.
Once a detection strategy has been laid out,
teams should start to gather valuable informa-
tion on vulnerabilities, and then it may be a
good time to consider implementing a metrics
program.

Juan Carlos Calderon is the Information Security Research Leader for Softtek (www.softtek.com) and is
CSSLP certified. With nine years of experience working in the application security arena for international com-
panies, his responsibilities include (among others) penetration testing and security code reviews for hundreds
of applications in the Financial, Energy, Media, Aviation and Healthcare industries. He is an active participant
at renowned OWASP project.

www.insecuremag.com 31
 CompTIA Network+ Certification Study Guide: Exam N10-004, Second Edition
By Robert Shimonski
Syngress, ISBN: 9781597494298

CompTIA's Network+ exam (N10-004) is a major update with more focus on

security and wireless aspects of networking. This study guide has been
updated accordingly with focus on network, systems, and WAN security and
complete coverage of today's wireless networking standards. This book covers
the core Network+ material including basic design principles, management
and operation of a network infrastructure, and testing tools. After reading this
book not only will you be able to ace the exam but you will be able to maintain,
troubleshoot, and install computer networks.

Inside Cyber Warfare: Mapping the Cyber Underworld

By Jeffrey Carr
OʼReilly, ISBN: 0596802153

Maybe you've heard about "cyber warfare" in the news, but do you really know
what it is? This book provides fascinating and disturbing details on how nations,
groups, and individuals throughout the world are using the Internet as an attack
platform to gain military, political, and economic advantage against their
adversaries.

You'll learn how sophisticated hackers working on behalf of states or organized

crime patiently play a high stakes game that could target anyone, regardless of
political affiliation or nationality.

www.insecuremag.com 33
 Cloud Security and Privacy
By Tim Mather, Subra Kumaraswamy, Shahed Latif
OʼReilly, ISBN: 9780596802769

With Cloud Security and Privacy, you'll learn what's at stake when you trust
your data to the cloud, and what you can do to keep your virtual infrastructure
and web applications secure. This book offers you sound advice from three
well-known authorities in the tech security world. Ideal for IT staffers,
information security and privacy practitioners, business managers, service
providers, and investors alike, this book offers you sound advice from three
well-known authorities in the tech security world. You'll learn detailed
information on cloud computing security that-until now-has been sorely lacking.

The Official Ubuntu Book (4th Edition)

By Benjamin Mako Hill, Matthew Helmke, Corey Burger
Prentice Hall, ISBN: 0137021208

Written by expert, leading Ubuntu community members, this book covers all
you need to know to make the most of Ubuntu 9.04, whether youʼre a home
user, small business user, server administrator, or programmer.

The authors cover Ubuntu 9.04 from start to finish: installation, configuration,
desktop productivity, games, management, support, and much more. Among
the many topics covered in this edition: Edubuntu, Kubuntu, and Ubuntu Server.

Eleventh Hour Security+

By Ido Dubrawsky
Syngress, ISBN: 9781597494274

This book focuses on just the essentials needed to pass the Security+
certification exam. It's filled with critical information in a way that will be easy to
remember and use for your quickly approaching exam. The title contains easy
to find, essential material with no fluff - this book does not talk about security in
general, just how it applies to the test. The author, Ido Dubrawsky, is the Chief
Security Advisor, Microsoft's Communication Sector North America, a division
of the Mobile and Embedded Devices Group.

Hacking: The Next Generation

By Nitesh Dhanjani, Billy Rios, Brett Hardin
OʼReilly, ISBN: 9780596154578

With the advent of rich Internet applications, the explosion of social media, and
the increased use of powerful cloud computing infrastructures, a new
generation of attackers has added cunning new techniques to its arsenal. For
anyone involved in defending an application or a network of systems, Hacking:
The Next Generation is one of the few books to identify a variety of emerging
attack vectors. You'll not only find valuable information on new hacks that
attempt to exploit technical flaws, you'll also learn how attackers take
advantage of individuals via social networking sites, and abuse vulnerabilities in
wireless technologies and cloud infrastructures.

www.insecuremag.com 34
 Collaboration and socializing, flexible and movable content, interoperability -
these are all things that made Web 2.0 the answer to our needs. New tech-
nologies to sustain this evolution are introduced almost daily, but we should
not be so naive to think that attackers won't be able to find ways to compro-
mise and take advantage of them and us.

Stefan Tanase, senior security researcher of
Kaspersky's Global Research and Analysis
Team, ventured a few predictions for the evo-
lution of threats that await us in 2010. He
started by summarizing the current situation:
• 2009 saw the Internet become the biggest
infection vector - most of the infections are not
coming from instant messaging platforms,
peer-to-peer networks or email, but directly
from the Web (through web applications).
• 1 in 150 websites is currently spreading in-
fection - and these are no longer websites
created for the specific purpose of spreading
malware, but legitimate websites that got
breached through compromised FTP ac-
counts, which were the point of entry for in-
jecting iFrames or JavaScript for delivering
exploits.
But what about the future? There are 4 differ-
ent combinations of threats and web applica-
tion that we can expect:
• Old applications, old threats = old news
• New applications, old threats = predictable
• Old applications, new threats = more or less
predictable
• New threats, new applications = the
Unknown (mostly).
New applications, old threats
Cross-site scripting in the Google Wave appli-
cation is a good example.

www.insecuremag.com 35
 Spam and phishing scams will follow all new
popular applications because the bigger the
target pool is, the bigger the chance of suc-
ceeding will be. New applications will bring
more unwanted content and offer more space
for criminals to maneuver in and spread mal-
ware, and new, improved Koobface modules
to target them.
Old applications, new threats
New features will be exploited. Koobface will
evolve - encrypted or obfuscated configura-
Spam and phishing scams will follow all new popular applications because the bigger the tar-
get pool is, the bigger the chance of succeeding will be.
New applications, new threats
It is, of course, difficult to predict which new
threats will rise from new, yet unknown appli-
cations because we can't possibly know what
the features will be or what they will be de-
signed to do.
But, as more and more personal information
becomes public on social networks, it will be
used to execute targeted attacks. Advertisers
are already using this information for targeted
ads, so the potential for exploitation seems
obvious.
Another new aspect of these attacks will be
automation - with the use of geographical IP
location, automatic language translators that
are becoming better and better, and informa-
tion about personal interests and tastes that
can be found and accessed on the Web.
Zeljka Zorz is a News Editor for Help Net Security and (IN)SECURE Magazine.
www.insecuremag.com
tion files and improved communications infra-
structure (possibly peer-to-peer architecture).
AV detection rates will start to matter because
they will start targeting more experienced us-
ers - users who keep their software up-to-
date. Because of this they will probably start
encrypting the packets to avoid detection and
to make the analysis process harder. And, fi-
nally, technical exploits will be developed and
used in addition to social engineering.
These attacks will be localized, contextualized
and personalized.
What can we do about it?
We should use a fully featured Internet secu-
rity solution, an up-to-date browser, and al-
ways the latest versions of software that has
historically proved to be very vulnerable (e.g.
Flash Player, Adobe Reader, etc.).
We should also learn not to trust every mes-
sage from contacts in the social networks we
use, and don't assume that just because a
website is high-profile and has a good reputa-
tion, it is inherently safe.
In the end - we should learn and teach. Edu-
cate ourselves and others about potential
threats.
36
 Office applications (Adobe Reader, Microsoft Office, etc.) are being actively
targeted by malware authors. Malicious documents “in the wild” that try to in-
fect your machine by exploiting vulnerabilities in the office applications
abound. For more than a year now, PDF files targeting Adobe Reader have
been quite popular with malware authors.

I assume that you need to use vulnerable of-
fice applications on your business computer,
and that applying patches to fix vulnerabilities
is not always possible, or that it requires leav-
ing your machines unprotected for a time. I
also assume that using alternative office ap-
plications to change the attack surface is not
an option for your business.
steal confidential documents from a competi-
tor.
I had one important criteria for selecting tech-
niques to feature in this article: use only free
software.
Least-privileged user account (LUA)

The techniques featured here help to protect
you from malware that targets the general
Internet population. These techniques are not
appropriate to protect you from targeted at-
tacks. In a targeted attack, the malware author
has information about his target that allows
him to design his malware to operate in the
(restricted) environment of his target.
An example of malware used in a targeted at-
tack is a malicious PDF document designed to
Almost all shellcode I see in malicious docu-
ments (PDF, Word, Powerpoint, …) found “in
the wild” does the following:
1. Download a trojan from the Internet using
HTTP
2. Write the downloaded executable to
SYSTEM32
3. Execute the downloaded executable.

www.insecuremag.com 38
 This infection method only works if the user is
the local admin. If the exploited program has
no rights to write to SYSTEM32, the shellcode
will fail in its task and the Trojan will infect the
machine.
To protect your users against this type of at-
tack, restrict their user rights. Windows Vista
and later Windows versions do this for you
with UAC, even if youʼre an administrator.
On Windows XP, you have to use a normal
user account instead of an admin account to
achieve this. But running with LUA on Win-
dows XP is not always easy. If you really need
to allow admin rights on Windows XP, you can
Itʼs not always easy to launch a program with
DropMyRights, as there are many ways a pro-
gram can be launched on Windows. For ex-
ample, it can be done with a file-type associa-
tion or from a browser. To help you configure
www.insecuremag.com
still prevent high-risk applications (like Adobe
Acrobat and Microsoft Office) from having full
control over the system by restricting their
rights. This is achieved by using a restricted
token for the processes of these applications.
There are 2 popular tools to launch programs
with a restricted token:
• DropMyRights by Michael Howard
• StripMyRights by Kåre Smith.
Both tools create a restricted token (by remov-
ing privileges and denying groups that provide
local admin rights) and then launch the target
program with this restricted token.
Windows to always restrict the rights of a spe-
cific program, StripMyRights also supports the
“Image File Execution Options” method with
the /D option.
39
 The “Image File Execution Options” is de-
signed to allow you to launch a program
automatically inside a debugger. In the “Image
File Execution Options” registry key, you spec-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\acrord32.exe]
"Debugger"="StripMyRights.exe /D /L N"
This way, each time AcroRd32.exe is exe-
cuted, StripMyRights executes first, creates a
restricted token and then launches
AcroRd32.exe with this restricted token.
Another technique to use restricted tokens
that does not require additional software is to
You just have to create a registry value and
create a rule for each application you want to
restrict.
Another very effective way to prevent mali-
cious documents from infecting your PCs is to
prevent vulnerable applications from starting
other applications. As almost all shellcode
found in malicious documents “in the wild” will
ultimately start another process to execute the
Trojan, blocking this will prevent the Trojan
from executing (there are exceptions to this -
www.insecuremag.com
ify the debugger to use. This can really be any
executable. To restrict the rights of Adobe
Reader, add StripMyRights to the
AcroRd32.exe Image Execution path like this:
use Software Restriction Policies. These can
be set locally with the Local Security Settings
or in your domain with a group policy.
Software Restriction Policies allow you to
force specific applications to run with a
restricted token.
some malware will load a malicious DLL inside
the existing process).
This is an old idea youʼll find implemented in
many sandboxes and HIPS. I added a new
DLL to my basic process manipulation tool kit
to prevent applications from creating a new
process. Loading this DLL inside a process
will prevent this process from creating a new
process. When the DLL is loaded inside a
process, it will patch the Create Process API
to intercept and block calls to it:
40
 Hook-createprocess.dll is a DLL that patches
the process into which it is loaded to prevent it
from creating new processes. It does this by
patching the Import Address Table of
kernel32.dll for ntdll.dll to hook API functions
NtCreateProcessEx, NtCreateProcess and
NtCreateUserProcess.
Calls to these functions are intercepted and
not passed on to the original functions. In-
stead, a code is returned indicating that the
operation was blocked. The result is that func-
tions in kernel32 used to create new proc-
esses fail (like WinExec) and so the patched
process canʼt create new processes.
This is all it takes to block most shellcode
found in malicious documents.
This simple way of preventing applications
from launching other applications comes with
some drawbacks. For example, the Check
Update function in Adobe Reader will not func-
tion anymore.
To load hook-createprocess.dll inside vulner-
able applications, you can update the import
Your users will need instructions what to do
with this dialog (i.e. click No), unless you use
the latest version of Adobe Reader where the
www.insecuremag.com
table of the executable to add the DLL, or use
the AppInit_DLLs registry key with my
LoadDLLViaAppInit DLL.
JavaScript and Adobe Reader
There are two specific techniques to protect
Adobe Reader from malicious documents.
Most malicious PDF files employ JavaScript to
exploit a specific JavaScript-function vulner-
ability or to perform a heap spray. When you
disable JavaScript support in Adobe Reader,
the JavaScripts inside PDF documents will not
be executed when the file is opened. The re-
sult is that vulnerable JavaScript functions
won't be exploited, or that PDF-exploits will fail
because the JavaScript heap spray didn't exe-
cute.
Adobe Reader has the option to disable
JavaScript, but it has a drawback. When a
user opens a PDF document with embedded
JavaScript, Adobe Reader will prompt the user
to re-enable JavaScript for this specific docu-
ment.
dialog box has been replaced by a less intru-
sive message:
41
 A less restrictive JavaScript protection tech-
nique is to use the JavaScript BlackList
Framework.
This new feature allows you to leave support
for JavaScript enabled, but to blacklist vulner-
able JavaScript API functions.
For example, to protect Adobe Reader from
the 0-day in JavaScript API function
DocMedia.newPlayer, you need to add this
function to registry value tBlackList. By doing
so, JavaScripts using this function will be in-
terrupted when the vulnerable function is
called inside the script.
The user will see a warning, but he will not
have the option to allow the function call to go
through.

Conclusion select the PDF category:

This article features several techniques to pro-
tect vulnerable office applications from exploi-
tation by malicious documents.
For step-by-step instructions on how to im-
plement these techniques, visit my blog and
blog.didierstevens.com/category/pdf
Keep in mind that these techniques work with
current “in the wild” malware because we miti-
gate the tactics used by malware authors, but
that this is an arms race and that evolving tac-
tics require evolving protection measures.

Didier Stevens (CISSP, GSSP-C, MCSD .NET, MCSE/Security, RHCT) is an IT Security Consultant currently
working at a large Belgian financial corporation. He is employed by Contraste Europe NV, an IT Consulting
Services company (www.contraste.com). You can find open source security tools on his IT security related
blog at blog.DidierStevens.com.

www.insecuremag.com 42
 Here are some of the Twitter feeds we follow closely and can recommend to anyone interested in
learning more about security, as well as engaging in interesting conversations on the subject.

If you want to suggest an account to be added to this list, send a message to @helpnetsecurity
on Twitter.

Our favorites for this issue are:

@IBMFedCyber
Chris Ensey - Principal Security Strategist for IBM Federal.
http://twitter.com/IBMFedCyber

@wikidsystems
Nick Owen - CEO of WiKID Systems.
http://twitter.com/wikidsystems

@paperghost
Chris Boyd - Internet security guy.
http://twitter.com/paperghost

@mikkohypponen
Mikko H. Hypponen - CRO at F-Secure.
http://twitter.com/mikkohypponen

www.insecuremag.com 43
 While I'm of the opinion that the economy is done bleeding for the most part,
it does not mean that I believe weʼll be back to the glory days anytime soon.
That produces a big challenge in 2010 for CIOs, who are trying to piece to-
gether a series of legacy, new and specialized network systems to optimize
data and productivity without sacrificing their security posture in the process.

While easier said than done, it is by no means
impossible. What's more, CIOs are not alone,
and there are plenty of best practices to do
this. That's because the issue is not new, de-
spite the negative impacts to an organization's
competitiveness, manpower requirements and
operational risks. The upfront capital and per-
sonnel costs to upgrade systems become dif-
ficult to justify. So while the goal of implement-
ing new, integrated platforms is still on the
wish list of many IT departments, here's how
companies can deal in reality, and systemati-
cally ensure that all its systems are working
together in the most secure and efficient man-
ner possible.
Review goals before setting policies
Security policies are usually modified and up-
dated when an organization implements a new
system, setting certain rules and guidelines for
that particular piece of software or equipment
without much regard to their relevance to to-
day's environment or impact to other net-
works. In fact, many policies over time can be
so conflicting as to make them practically use-
less.
This is why CIOs need to take the time to
conduct a thorough review of their policies for
such issues. The best way to do this is to first
determine what their overall goals and objec-
tives are in preserving and protecting their or-
ganizationʼs precious data. As daunting as that
sounds, there is help at little to no cost. For
example, the well renowned SANS (SysAd-
min, Audit, Network, Security) Institute offers a
Security Policy Resource page on its Web site
(www.sans.org/security-resources/policies/).
The free program is a consensus research
project of the SANS community, and is de-
signed to offer small to medium-sized

www.insecuremag.com 45
 organizations the tools they need to rapidly
develop and implement information security
policies. The vast set of resources includes
templates for 24 important requirements. The
site also offers those new to policy develop-
ment a way to get a head start on such initia-
tives, while also providing specific direction on
issues related to legal requirements, such as
the HIPAA guidelines.
In exchange for leveraging these tools, SANS
asks that organizations actively take part in
updating and improving the templates, as it
aims to consider the resource page a contin-
ual work in-progress. In particular, companies
Most CIOs donʼt have a full accounting of all the equipment
and intangibles they own and operate.
Perform a security audit
The natural tendency is to believe that the
only way to conduct one effectively is to hire
an outside consulting team and break the
bank in the process. That need not be the
case. It does, however, require full commit-
ment from IT staff and the creation of a sys-
tematic process to make this happen in the
most efficient manner possible. At a minimum,
include these steps:
• Know what you should know. Begin by
identifying all the assets within the IT depart-
ment, categorizing them by system and pur-
pose. As strange as this may sound, most
CIOs donʼt have a full accounting of all the
equipment and intangibles they own and op-
erate. The biggest reasons for this is because
some devices, software, files and other sys-
tems are shared with other departments. As a
general audit rule, stay within the realm of as-
sets that are owned by the IT department or
required to effective maintain the companyʼs
network security.
• Prioritize the assets. After a thorough list is
compiled, the next step is to figure out which
ones pose the biggest risk. This can be based
on a factor of the probability of being attacked
and the level of harm that can come of it. One
word of caution – donʼt simply ignore the leg-
acy systems when making the list. Just be-
www.insecuremag.com
are encouraged to share their own policies if
they reflect a different need than the program
provides, thereby expanding the benefits of
the resource center.
Only after a general goals framework is estab-
lished can CIOs and their security teams audit
their systems for conformity, and determine
what changes are needed. Often times or-
ganizations will conduct one before reviewing
their security policies, in typical “cart-before-
the-horse” fashion. Though the largest ex-
pense at this point is time, the hard dollar sav-
ings that come from be starting with a review
of policies is significant.
cause theyʼve got a specific tasks or is the
oldest device in the department doesnʼt mean
that itʼs not tied to a mission critical business
task.
• List known threats. Brainstorm how each
system and device are inherently threatened
from internal and external sources. These will
include things such as how complex employee
passwords are as well as how many folks
have access to sensitive or private company
data, the presence and configuration of spam
filters, anti-virus program and such. Keep in
mind, too, that certain features and functions
embedded in newer systems are not in some
of the legacy ones. Threats of old may still
need to be identified and respected.
• Look at trends. Keeping up to date on the
latest IT publications to read about the past
and potential future security trends gives a
good foundation for determining the “un-
known” and then figuring out the steps neces-
sary to counter that threat. Other good re-
sources include industry associations and
peers.
There are also free, detailed checklists avail-
able for download from a host of credible
sources, including:
• Help Net Security - bit.ly/8wsQc7
• University of Massachusetts - bit.ly/8h7KKe
46
 Another good idea in conducting an audit is to
assign different personnel who are not nor-
mally in charge of asset management or secu-
rity procedures to participate. Their fresh set of
eyes can provide a good “sanity check” to ex-
isting documentation and processes. It can
also provide a foundation for good cross-
training within the department that may come
in handy later. For anyone whoʼs been a victim
of “Murphyʼs Law” knows that security in-
stances, like any crisis, usually occurs when
the main person is on vacation or out of the
office and unreachable.
Turn policies into practices
With a clear understanding of assets, priorities
and threats in place, the next thing to do is
find out where the existing holes lie and shore
up defenses. The key is to convert the overall
goals, system set ups and policies into consis-
tent use practices. That means organizations
will need to look at developing an effective se-
curity intrusion response plan that will docu-
ment and provide the appropriate steps to re-
act for each intrusion as it occurs, be it hard-
ware or software oriented. As important, how-
ever, is the need to establish network access
controls, or the verification the security of any
user into the system against an accurate and
up-to-date list, as well as content- and rate-
based intrusion prevention platforms to
counter hackers.
Doing this may not only require purchasing
additional VPN firewalls, email gateways and
Unified Threat Management appliances, but
also training and educating employees on the
impact their systems have on others, particu-
larly legacy systems that are not their own.
The introduction and sophistication of middle-
ware has made this occurrence extremely
commonplace. In these cases, manuals and
trade journals are a good start, but the best
resource may be the IT staff members who
have kept the legacy equipment operational
well past its projected lifespan.
These folks know the ins and outs of the sys-
tem and all of its benefits and shortcomings.
Sharing that knowledge across employees
might be the best preventative measure a
company can implement.
www.insecuremag.com
Going a step further, organizations can make
it an even greater habit to incorporate such
subject matter expertise in order to solidify the
right processes and procedures in three im-
portant ways:
• Build an internal advisory team. While se-
curity folks are the natural choice to lead such
efforts, they will by no means be the only ones
involved. The ideal situation would be for all
departments to have a designated representa-
tive coordinate efforts within and outside their
area. Herein lies the challenge for any com-
pany – policies and practices will often tran-
scend areas of responsibilities for individuals
and managers, and failure to make security
practices seamless across these lines will
create vulnerabilities that hackers seek to ex-
ploit.
• Leverage the lessons learned from oth-
ers. None of us are alone in our quest to exe-
cute strategic security initiatives with finite re-
sources, many real-life examples of such are
well documented in trade magazines, journals,
webinars and other free resources. Pay closer
attention to them – particularly those using
similar legacy systems – in order to prevent
getting the same scars as others have done
before.
• Pressure vendors to produce. Organiza-
tions should not go at it alone, but rather enlist
their system integrators and product vendors
to help make this happen. The best partners
are the ones who should have robust, turnkey
offerings that specifically and clearly meet this
demand. These firms should also maintain an
arsenal of best practices to show a true return
on a companyʼs investment.
Time and people – The biggest investment
The practices reveal the most important ele-
ments to successfully implementing a security
program that protects new and legacy sys-
tems; the time and people required to make it
happen. While most likely the biggest line item
in an IT Departmentʼs budget, funding it ade-
quately is a valuable investment in preserving
productivity, data and – ultimately – and or-
ganizationʼs business goals. Talk is cheap and
policies are only as good as those who are in
charge of its execution.
47
 This is not unlike other business operation,
such as offshore software development or
outsourced product fulfillment, where long-
standing benefits of such initiatives are not re-
alized without oversight and monitoring
authority.
As such, budget debates must focus not just
on what legacy systems to keep and what kind
of security equipment to implement, but also
on the individuals and resources needed to
set overarching policies and management
procedures; the absence of which will mean
that all the money spent keeping up with the
latest tools and systems will be fruitless.
While security tools will also be essential to
keep networks running optimally while protect-
ing sensitive and confidential corporate data,
such systems should not be procured and in-
stalled at the expense of getting the right per-
son with the right equipment in place to moni-
tor and respond to evolving issues in accor-
dance with a well established corporate IT pol-
icy.
Companies that successfully thwart a cyber
attack will possess a well integrated combina-
tion of the right tools with the right decision
makers. No single algorithm or detection sys-
tem will be enough, if staff members are not
provided the training and tools to do their job.
Make no mistake – people have and always
will matter if organizations are to maintain a
robust security posture.

Max Huang is the Founder and President of O2Security (www.o2security.com), a manufacturer of high-
performance network security appliances for small- to medium-businesses as well as remote/branch offices,
large enterprises and service providers. Max can be reached at max.huang@o2security.com.

www.insecuremag.com 48
 Accurate assimilation of the differences amongst cryptographic systems of-
ten evades even the most experienced IT professional. The objective of this
article is to offer the means for understanding this topic and aid the security
engineer in making decisions.

Back in the summer of 2002, I had designed a
four-layer firewall system for an international
bond firm. During the process, one of the ac-
tion items was to select an operating system
image for the firewalls in question. The manu-
facturer of the firewall(s) is not important, al-
though it should be noted that it was (and is)
one of the market leaders.
One of the variables in selecting the image for
the firewalls was encryption. The viable op-
tions available were DES (Data Encryption
Standard), 3DES (Triple DES), and AES (Ad-
vanced Encryption Standard). The dilemma
that existed at the time was that DES and
3DES could be bundled into the firewalls for
free. AES, on the other hand, required a fairly
significant additional outlay of capital. The
question, of course, was whether or not the
advantages of AES over 3DES were worth the
additional cost.
We include DES in this discussion, even
though it is currently considered to be an in-
adequate encryption algorithm. Understand-
ing DES directly leads into the comprehension
of what is happening when a 3DES process is
being used. Having said that, what prompted
the creation of this article was the fact that the
internal IT staff at the firm in question had a
surprisingly limited understanding of what
they were actually buying. Yet, what was sur-
prising was how adamant they were at insist-
ing they must have the newer algorithm. It is
this lack of understanding we wish to help the
IT community with here, since we find more
and more IT folk (especially the more experi-
enced professionals) that toss around

www.insecuremag.com 51
 acronyms without researching their underpin-
nings. Since all IT decisions come down to
dollars and sense versus functionality, this
scenario turned into a “risk analysis” exercise
centered on how likely it was that a hypotheti-
cal attacker had the means to “crack” 3DES
and yet not be capable of getting through
AES. Then, comparing that difference in
probability to the implied “loss” that would be
realized in the event of a breach, in an effort
to justify the additional cost.
The result of this exercise was that 3DES was
more than sufficient since we had calculated it
was more likely (from a probabilistic stand-
point) that the equipment would be stolen,
physical security compromised, and the in-
formation easily removed from the internal
systems without needing to crack one encryp-
tion key. This result was disliked greatly by the
IT staff, but liked immensely by the accounting
department who now felt they saved quite a
bit of money.
Since this will not be an overview on how to
develop risk scenario calculations, weʼll focus
on trying to educate our fellow IT profession-
als on why BOTH algorithms are great, but if
one costs more money, either can be used so
one can save money. In the process, we will
hopefully clear up some misunderstandings
about their inherent differences and advan-
tages in different situations.
In an effort to bridge the gap between the
“newbie” IT professional and the seasoned
expert, we will offer some definitions where
appropriate. Our goal is simply this – to come
away with a better understanding of the differ-
ences amongst encryption algorithms and
where they fit in todayʼs business computing
environment.
Data Encryption Standard, 3DES, and
Advanced Encryption Standard
To begin, let us quickly come up to speed on
some points: “Cryptology” is essentially de-
fined as the making and breaking of secret
codes. It consists of two parts: cryptography,
which is the development and use of codes;
and, cryptanalysis, which is the breaking of
the codes. These two aspects go hand in
hand as the cryptanalysis confirms (or ne-
gates) the strength of the algorithms them-
www.insecuremag.com
selves. Once shown to have vulnerabilities,
the algorithms tend to get stronger via im-
proved cryptographic mathematics (usually).
Please keep in mind that this “cat and mouse”
game between code creators and code
breakers is not new, by ANY means. Cryptog-
raphy was very popular even during the time
of Julius Caesar since the security of a mes-
sage delivered by a human could NOT be se-
cured simply by trusting the human. In fact,
recall the Hundred Years War between France
and England. At that time, the cryptanalysts
were ahead of the cryptographers. France be-
lieved the Vigenère cipher to be unbreakable.
The British, of course, cracked that code. No
algorithm is truly unbreakable. Hence, the se-
curity of entire nations sometimes rests on the
strength of encryption codes! But, let us return
from our digression.
Put simply, a “cipher” is an algorithm for per-
forming encryption and decryption. With a
substitution cipher, one letter is substituted for
another to encrypt a message. In simplest
form, the number of letters in the output
equals that of the input. One of the shortcom-
ings of this simple cipher is its vulnerability to
frequency analysis.
If a message has 15 B's, for example, and B
is replaced by L, the ciphertext would still con-
tain 15 Ls. As the message lengthens, it be-
comes more and more vulnerable to fre-
quency analysis because the message would
retain the frequency patters found in the lan-
guage, even though the characters are differ-
ent.
Polyalphabetic ciphers were invented to make
up for the shortcomings of the substitution ci-
pher. The Vigenère cipher is an example. It
encrypts using a series of different Caesar ci-
phers based on the letters of a keyword. This
makes it invulnerable to frequency analysis.
National security dictated the need to create
DES, which was adopted by the National In-
stitute of Standards and Technology in 1977,
and later approved by the American National
Standards Institute in 1981 (ANSI X3.92). It is
defined as a “Block Cipher” because it han-
dles data in 64 bit “blocks.” This means eight
bytes, since one byte [historically] equals
eight bits. Within this 64-bit block, 56 bits are
52
 used for the “key” to encrypt and decrypt data.
Please do not let the terms “key,” “cipher” and
“ciphertext” impede your understanding of en-
cryption technology (we can do that with
much more complex scenarios!). Just re-
member that TEXT follows a CIPHER (algo-
rithm) using a KEY, creating CIPHERTEXT.
Thatʼs it. For example, letʼs encrypt a phone
number: (212)-755-2477. To encrypt this text
we will use an algorithm whereby we very
simply add a key to each digit. Thus, the algo-
rithm is “digit+key” = “ciphertext.” The key we
will use is arbitrary – letʼs say the number 5.
Therefore, the ciphertext is (767)-200-7922.
Notice that if the digit is greater than 10, we
simply drop the “tens” place. This should be
reflected in the definition of our algorithm BUT
in an attempt to keep this simple we opted for
understanding instead. In conclusion, to de-
crypt our ciphertext, the recipient must be
given our encryption algorithm and key. The
process can then be done in reverse - 7-5=2,
6-5=1, etc. Of course, even DES, with its anti-
quated 56-bit key, is MUCH MORE compli-
cated than this example; but, hopefully, some
insight has been offered that will aid the un-
derstanding of where we are going with these
ideas.
DES, with a key that is 56-bits long, provides
approximately seventy-two quadrillion itera-
tions. Thatʼs 72 followed by 15 zeros. Al-
though this may seem like an incredible
number, as computing power continued to
increase after 1977, the possibility of a com-
puter with enough power to traverse all com-
binations being used also increased. It be-
came clear that eventually, this would not
suffice for all applications, especially those
where a breach would have grave repercus-
sions.
The DES algorithm and the mathematics of
performing the DES operation more than once
are linear. That means that if it takes x micro-
seconds to encode a block using DES, with a
56-bit key, it would take 3 times x to encode
the same data by performing the DES algo-
rithm with three distinct keys. Doing so pro-
vides an equivalent key of 56 x 3 or 168 bits.
Not bad! However, we explain this process in
this manner to clearly show that going from
DES to 3DES requires three times the com-
puting power to encode the same data. Re-
www.insecuremag.com
member, EVERYTHING in IT is eventually
guided by cost. So then, the question be-
comes, is 168 bits adequate to protect even
the most sensitive of data?
It only took 21 years for DES to be cracked
using a brute force attack. In 1998, The Elec-
tronic Frontier Foundation utilized $250,000 of
computing power to crack DES in less than
three days. Since then, many successful at-
tempts have been made in cracking DES. The
point weʼre getting at is this: whether itʼs a
single computer or many computers operating
in parallel, the dollar value per computer cycle
will vary; however, it is the number of keys
that can be processed per second that mat-
ters. The computer in 1998 processed 88 bil-
lion keys per second. If we assume a 10-fold
increase in computing power in ten years,
then today, it would still take many hours to
crack DES. NOW, given that, in comparison,
using the same computer, with the 10-fold in-
crease, it would take approximately 3 quadril-
lion years to crack 3DES. Thatʼs about
250,000 times the age of the universe. Thus
the odds, under current conditions, of crack-
ing 3DES are pretty slim.
For basic understanding, 3DES uses a meth-
odology known as “EDE” - encrypt, decrypt,
encrypt. This means three different keys are
used → [k1,k2,k3]. IF we simply encrypt 3x,
using k1,k2, and k3, the effective key length
would be only 58 bits, instead of the 168 with
3DES-EDE.
Now that we know all this, why should you
ever want to introduce another algorithm? The
short answer is - it depends. Letʼs consider
where AES (or the need for an alternative to
3DES) became a consideration.
The National Institute of Standards and Tech-
nology completed a task to find a replacement
for Triple-DES. This endeavor was undertaken
because of several factors. Obviously, as
computer power continues to increase, the
time it takes for a brute force attack against
an algorithm to be successful would drop. De-
spite the times described above, which illus-
trate the improbability of this, another factor
that could make a difference is computational
complexity. What does this mean? In ex-
tremely simple terms, the algorithm cannot
have any shortcuts that circumvent the
53
 process of calculation the answer. In other
words, if we multiply 3,412 and 7,815, we
need to follow a step by step mathematical
process to get the answer; first, five times
two, etc. However, if we multiply 1,000 and
10,000, we can simply count the zeros and
put a one in front; 10,000,000. This is a short-
cut in the algorithm used to multiply the num-
bers. In evaluating the usefulness of an en-
cryption algorithm, there can be no possibility
that any of these shortcuts exist.
It was also decided that the replacement for
3DES would need to be more “computation-
ally efficient” than 3DES. What this means, in
simple terms, is that the number of compute
cycles required to perform the encryption
would be less than the number required to
compute 3DES ciphertext of the same
strength. The reason for this is that we now
have a plethora of handheld devices and
gadgets that help us communicate. These de-
vices need encryption, but they are using
processors that may not be as powerful as
those found in a desktop computer. Hence, an
encryption algorithm that requires less
“horsepower” would become more and more
essential.
The result was that the Advanced Encryption
Standard is more computationally efficient
and stronger, when key lengths are the same
as with 3DES. AES works fast even on small
devices such as smart phones, smart cards
etc. AES provides more security due to larger
block size and longer keys. It uses 128 bit
fixed block size and works with 128, 192 and
256 bit keys. The Rijndael algorithm is in gen-
eral flexible enough to work with key and
block size of any multiple of 32 bit with mini-
mum of 128 bits and maximum of 256 bits.
Without question, there is constant scrutiny
over how much time is needed to crack an
algorithm. Hundred of mathematical analyses
can be called upon. However, numbers that
are mentioned in security circles center on
approximately 5 billion years to crack Triple-
DES and 150 trillion for AES. This, of course,
is implying the same information to encrypt,
the same key size, and computational power.
Is it possible to use a cipher that is completely
unbreakable? Claude Shannon proved, using
information theory, that any theoretically un-
www.insecuremag.com
breakable cipher must have keys which are at
least as long as the plaintext, and used only
once. Of course, this is completely impractical
in some cases and thus, the Advanced En-
cryption Standard addresses many of the
needs that today, would render an algorithm
obsolete or unusable.
Now that we have established why AES is
generally a better choice for encrypting infor-
mation than 3DES, we would like to provide
some education about what AES is - in a way
that is easily “digestible”. It is widely known
that AES is currently based on a cipher
named “Rijndael.” The name is derived from
two Belgian cryptographers, Joan Daemon
and Vincent Rijmen.
The AES Algorithm works via a scheme called
“substitution-permutation” network. Very sim-
ply, the scheme takes BOTH the original in-
formation to be encoded, plus a key and uses
this input. Based on this input, a substitution
overlay changes the information. Each over-
lay is a “round”, so depending on how many
times this is done, we say the original infor-
mation went through an x number of rounds to
get the ciphertext. If you are interested, you
can look up the actual algorithm as it is open
to the public. From a purely mathematical
sense, it is a very elegant method AND is very
fast at producing ciphertext. Again, it is this
focus on speed that led to Rijndael becoming
the algorithm of choice. Please be advised
that THERE ARE OTHER ALGORITHMS that
are mathematically more difficult to crack.
However, they lack some of the other bene-
fits, such as speed. Remember, an increase
in speed AND encryption strength is known as
“computational efficiency.”
Conclusion
There are a few things to consider when dis-
cussing AES and 3DES that should not be
omitted. First of all, these are “symmetric” al-
gorithms because the use a private key for
BOTH encryption and decryption. For com-
parison, RSA is an asymmetric cipher.
We bring this up to illustrate one point. Key
length does NOT indicate the overall strength
of the algorithm. RSA, for example, with a key
length of 2048 bits is equivalent in strength to
an RC4 cipher with only 128 bits to its key!
54
 Asymmetric algorithms like RSA, elliptical-
curve and Diffie-Hellman can be 1000x slower
than symmetric algorithms. Factoring large
numbers or computing logarithms are the ba-
sis for the asymmetric algorithms and this
take significantly more time. VPNs use
asymmetric encryption to hide the exchange
of the symmetric keys that will be used to en-
crypt the data. This is done because encrypt-
ing data in real time requires a fast algorithm.
Asymmetric encryption is simply too slow.
Hence, each of these ciphers has its place in
the information technology world.
Protection for this Symmetric key
number of years.
3 Years 80
10 Years 96
20 Years 112
30 Years 128
Quantum computing 256
Please also consider an interesting point
about 3DES usage in practice: 3DES uses a
scheme known as “EDE” (Pronounced Eddie)
- encrypt, decrypt, encrypt [using keys
k1,k2,k3]. If, instead, we simply encrypted 3x
(thinking that by encrypting three times we
were increasing security), using k1,k2, and k3
as keys, the effective key length would be 58
bits, instead of the 168 with 3DES-EDE.
In summary, a few key points that the reader
should keep in mind:
• 3DES is secure enough for just about every
corporate application and should NOT be
viewed as inferior to newer algorithms.
" o The application of DES 3x with differ-
ent keys makes brute force attacks on 3DES
infeasible because the basic algorithm has
withstood the test of time for 35 years.
• The AES algorithm is a faster cipher, able to
provide equivalent security with less CPU “cy-
Anthony Fama is a partner at Computer Integrated Services. He has held numerous industry certifications,
including some from Novell, Cisco, and Sun. He holds a Bachelor of Science Degree in Electrical Engineering
and Physics and is an MBA as well. He also has a Masters Degree in Astrophysics and has been a member of
Mensa for over twenty years.
www.insecuremag.com
I would like to close with an illustration of ex-
pectations for future key lengths, predicted by
the NIST. The table below is public informa-
tion and can be found by starting at nist.gov
and navigating through the site.
These predictions assume algorithms will re-
main mathematically and cryptographically
sound. Further, that computing power will con-
tinue at its current rate of growth; thus brute
force attacks continue to get faster. Note that
if a method other than brute force is discov-
ered, key lengths become obsolete.
Asymmetric key Digital signature Hash
1248 160 160
1776 192 192
2432 224 224
3248 256 256
15424 512 512
cles” than 3DES and some other popular al-
gorithms not described in this article.
• Key length does NOT indicate overall
strength, although lengthening the key does
make the algorithm stronger BUT at a cost in
computational power.
Each encryption algorithm can exist in soft-
ware OR hardware and the one chosen
should fit the application and take CPU power
and required speed into account.
Hopefully, this discussion has helped you un-
derstand some of the differences in 3DES and
AES, and has perhaps enhanced what you
may have already known about encryption.
If you would like to explore this further, I would
highly recommend the following two titles:
1. Introduction to Algorithms, by Ron Rivest.
2. Introduction to Modern Cryptography, by
Jonathan Katz
55
 In any environment, large or small, the managing and interpreting of log files
is a time consuming and expensive responsibility. Generally, this particular
job is perceived as a boring waste of time, and is usually pushed onto whom-
ever is the “weakest” part of the team and executed half-heartedly and - there-
fore - poorly.

I, for one, believe that log files contain a lot of
wisdom that most systems, applications and
network administrators miss. While log files
are considered a necessary evil and are con-
sulted only when someone is complaining
about problems with certain services, they are
key to understanding the baseline behavior of
your environment (when everything is running
smoothly) and are therefore fundamental for
the detection of anomalies. “Love thy logs like
you love thyself” should be a mantra for all
previously mentioned administrators.
Even in the smallest of environments you'll
have a dozen computers (workstations and
servers) and a few network appliances (rout-
ers, firewalls, switches, access points). Add
some multifunctional printers into the mix, and
you're good to go.
The great majority of these devices will be
spitting out messages with a vengeance, and
it is you who must prioritize and process these
events. Even if you think itʼs not necessary,
you will probably have to do it as a compli-
ance requirement.
All of this would be a big problem if you had to
do it step-by-step, page-by page, by yourself.
Luckily, there are plenty of products out there
today that can provide these two services. I
am, of course, talking about log management,
and security incident and event management
solutions. The former acts as a black hole into
which all log events within your network are
siphoned and kept in. The latterʼs task is to
correlate events you throw in it and provide
you with a Web 2.0 dashboard from which you
can analyze the results.

www.insecuremag.com 57
 How can you learn about your environment
and how to protect it in a cost-effective man-
ner, enable your organization to respond to
incidents when they happen, and satisfy audi-
tors? In my opinion, OSSEC is a good answer
to that question.
I found out about OSSEC while I was search-
ing the web for log management advice. Back
in those days, we had to do a lot of things by
ourselves. Apparently Daniel Cid had been
encountering the same problems I was, be-
cause he decided to do something about it.
He developed OSSEC, and released it as
open source - which it still is today.
You may notice that the rules are defined in
.xml files. It is incredibly easy to create your
own rules or modify existing rules to fit your
requirements. As long as you are somewhat
familiar with regular expressions - for xml and
the application youʼre creating rules for - there
is basically no limit to what you can do with
OSSEC.
The OSSEC architecture
In this article, I'm assuming a client/server in-
stallation, since all but one daemon are pre-
sent in both the client/server and the standa-
lone installation. OSSEC is designed to run
www.insecuremag.com
Interpret any log, on/from any system
OSSECʼs current version is 2.3 and the client
runs on Windows, Linux, AIX, Solaris and HP/
UX. The server runs on Linux, AIX, Solaris
and HP/UX. Additionally, OSSEC can even
monitor systems on which you cannot install
the software for whichever reason.
The built-in rule base is pretty impressive.
Alongside log rules for open source solutions
like Apache, MySQL, sendmail and squid,
there is also an impressive amount of rules for
commercial solutions such as several AV en-
gines, firewalls, networking products and MS
Exchange.
several daemons, all assigned limited and
specific tasks. All but one are running on
chroot. Letʼs introduce them:
Analysisd runs on chroot as the user ossec
and does all the analysis. In a standalone in-
stallation this process obviously runs on the
client, but in the client/server setup it runs
only on the server. The direct benefit is that
the resource-intensive analysis of events is
executed by the server, which is usually dedi-
cated to doing just that. This leaves the re-
sources craved by your application un-
touched.
58
 Remoted (running on the server) receives the
logs from Agentd (running on the client). Re-
moted is running on chroot (user = ossecr)
and Agentd too (user = ossec). Remoted is
responsible for all communications with the
agents.
Monitord is responsible for monitoring the
agents and takes care of the centralized log-
files. The daily logs are compressed and
signed by this process, too. We have one
process doing analysis, one sending events
and another receiving them. But, we also
need a worker to collect the events, and this
task is performed by the logcollector. This
daemon is running as root, which is required
because it obviously needs access to the log-
files it will monitor.
The last two daemons are maild and execd.
Maild, running on chroot (user = ossecm)
sends mails on specific alerts if e-mail notifi-
cation is enabled (weʼll see later that this is
easily configurable). The final process, which
coincidentally converts the HIDS into a HIPS,
is execd - the process responsible for starting
active responses.
This sums up all the functionality offered by
OSSEC: we collect logs (logcollector), send
<decoder name="pam">
<program_name>(pam_unix)$</program_name>
</decoder>
<decoder name="pam">
<program_name></program_name>
<prematch>^pam_unix|^\(pam_unix\)</prematch>
</decoder>
The first one tells OSSEC to treat any log
message for which the program name is
(pam_unix) as a PAM message, applying
subsequent decoder rules to it. The second
rule is to catch those PAM messages that, for
one reason or the other, get logged with an-
<decoder name="pam-user">
<parent>pam</parent>
<prematch>^session \w+ </prematch>
<regex offset="after_prematch">^for user (\S+)</regex>
<order>user</order>
</decoder>
www.insecuremag.com
them to the server (agentd and remoted), de-
code and analyze them (analysisd) and we
act upon the generated alerts (maild and
execd) if so required.
Analysis: when gibberish becomes
language
A log event can contain a lot of information,
but we donʼt need all of it. We are interested
in the parts that we can use to create action-
able alerts. OSSEC does the analysis in three
phases: pre-decoding, decoding and analysis.
In the first phase - pre-decoding - the informa-
tion provided by the event source is parsed
and known fields are extracted. The time, the
system name and the application name are of
particular interest here, but the log message
is left untouched and passes on to the next
phase, decoding. Here, the log message is
inspected in depth and information is further
extracted. Usually we want to gather informa-
tion like source IP, username, destination IP,
etc.
With a basic understanding of regular expres-
sions you can create your own decoders.
Letʼs take a look at the default PAM decoder.
The first two decoder rules are:
other program name. Those messages that
contain either the string pam_unix or (pam_u-
nix) are still regarded as PAM messages.
Now, we need to extract information we can
work with from those messages.
59
 The first tag of interest is the <parent> - this
refers to the earlier decoder rules. Any mes-
sage that is decoded as PAM is picked up this
rule.
The <prematch> tag looks for a string that
starts with the word “session”, followed by one
or more other words. If these prerequisites
are met, weʼre ready to grab some information
(in this case the username). We do that by
using a regular expression, hence the <re-
gex> tag that we tell to start after the pre-
match. Any information we need from the pat-
tern we put between round brackets. With the
<order> tag, we tell OSSEC in which order we
find our information. That will become clearer
in a message from which we extract - more
information.

<decoder name="pam-host-user">
<parent>pam</parent>
<prematch>rhost=\S+\s+user=\S+</prematch>
<regex>rhost=(\S+)\s+user=(\S+)</regex>
<order>srcip, user</order>
</decoder>

This is where things become interesting. No-
tice that the <regex> tag doesnʼt contain the
prematch parameter because we want to ex-
tract information from the same string that we
use to match on. From this message we want
to extract the source IP address and the user-
name and we tell OSSEC that the first string
we captured in round brackets is that IP ad-
dress and the second one is the username.
Hereafter, everything builds upon the decod-
ers. Letʼs have a look at the PAM rules.

<rule id="5500" level="0" noalert="1">

<decoded_as>pam</decoded_as>
<description>Grouping of the pam_unix rules.</description>
</rule>

Every rule gets a unique id, a number be-
tween 100 and 99999. The level can be any
number between 0 and 14 - it allows you to
granularly rank alerts by severity. Level 0
means that this event is of no significance as
we use it only to group the pam_unix alerts.
With noalert we specify that no alerts are re-
quired. In the <decoded_as> tag we tell OS-
SEC that this rule applies to all messaged de-
coded as PAM by our decoder rules and with
<description> we tell everyone who has never
seen an OSSEC rule before what this is
about.

<rule id="5501" level="3">

<if_sid>5500</if_sid>
<match>session opened for user </match>
<description>Login session opened.</description>
<group>authentication_success,</group>
</rule>

Now it gets really exciting! Rule 5501 is a
level 3 event and builds on rule 5500. We look
for the string “session opened for user” to reg-
ister a successful login event. OSSEC allows
us to build so-called rule trees - chains of
alerts that allow us exact control about what
gets logged and with which alert level. A good
example would be the following: We want to
be alerted when Chris logs on to the alpha
server at any time, but not if any other users
log on. It would look a little like this:

www.insecuremag.com 60
 <rule id=”10000” level=”0”>
<hostname>alpha</hostname>
<description>group alpha events</description>
</rule>
<rule id=”10001” level=”10”>
<if_sid>10000</if_sid>
<user>Chris</user>
<description>Chris is logging on to the alpha server</description>
</rule>

Rule trees can become pretty complex, espe-
cially when you start weaving in active re-
sponses.
Active response: Defend!
This is where you can get creative. How do
you want to repel attackers today? A good ex-
ample of what you might do here is in the user
quotes on the OSSEC website where Paul
Sebastian Ziegler tells about his little experi-
ment with the solution at the Defcon15 “0wn
The Box” competition.
He let OSSEC fire up arp poisoning against
attackers using the scapy tool. All that was
necessary is a set of rules to identify the at-
tack and a couple of entries in ossec.conf to
link his script with the rules he wrote. It was
named the most evil entry in the competition.
The first thing youʼll need to do to set up ac-
tive response is identify the rules for which
you want to take action to prevent further
damage. You have to chose wisely, or even
write more in-depth rules to make sure you
get as low a false positive rate as possible.
Then, you write your script. What you do and
how you do it is completely up to you - there
is absolutely no limit as to what you can do
here.
The next step is enabling the scripts. Copy
them to the active-response/bin folder of your
OSSEC install path and reference them in
your ossec.conf file. OSSEC comes with
some basic active response scripts – here is
an example:

<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

All active response commands start with the
<command> tag and are given a proper name
with the <name> tag. The <executable> tag
tells OSSEC where the script is and the <ex-
pect> tag describes which information is
needed to run this script. The last <time-
out_allowed> tag specifies whether this com-
mand supports timeout. In this case it can,
and we can tell the system to block a certain
host for x minutes. After that period the re-
verse command will be run, unblocking the
host.
Now, we are ready to use this command in
active response scenarios, either based on
the rule id or on the severity of the event:

<active-response>
<command>host-deny</command>
<location>local</location>
<rules_id>10013</rules_id>
<timeout>300</timeout>
</active-response>

www.insecuremag.com 61
 <active-response>
<command>host-deny</command>
<location>local</location>
<level>10</level>
<timeout>300</timeout>
</active-response>

Both rules will execute the host-deny script.
The first one when rule number 10013 is trig-
gered and the second one when any event
with a severity level of 10 or higher is trig-
gered.
Conclusion
I hope that I have given you a good overview
of OSSECʼs capabilities. With the support for
multiple operating systems and the flexibility
to adapt it to specific environments, I would
recommend it to anyone looking to gain con-
trol over their environment.
If you want to look into it further, I would sug-
gest starting at the OSSEC website
(www.ossec.net). Additionally, the “OSSEC
Host-based intrusion detection” book written
by Daniel Cid, Andrew Hay and Rory Bray
and published by Syngress is a very good
reference for the solution. If you really get
stuck, you can get a very fast answer from the
OSSEC user group.
Now off you go! Start loving your log files and
give them the attention they deserve.

Wim Remes is an information security consultant from Belgium and co-host of the Eurotrash information
security podcast (www.eurotrashsecurity.eu).

www.insecuremag.com 62
 RSA Conference 2010 (www.bit.ly/rsac2010)
Moscone Center, San Francisco. 1-5 March 2010.

InfoSec World Conference & Expo 2010 (www.misti.com/infosecworld)

Disney's Coronado Springs Resort, Orlando, FL. 19-21 April 2010.

Infosecurity Europe 2010 (www.infosec.co.uk)

Earls Court, London. 27-29 April 2010.

Gartner Identity & Access Management Summit (europe.gartner.com/iam)

Lancaster London, London, UK. 3-4 March 2010.

Corporate Fraud: Prevention, Detection & Investigation in the Aftermath of

the Global Economic Downturn (www.bit.ly/b4U0RV)
Boston, MA. 15-16 March 2010.

SecureCloud 2010 (cloudsecurityalliance.org/sc2010.html)

Majestic Hotel and Spa, Barcelona, Spain. 16-17 March 2010.

Atlanta SecureWorld Expo 2010 (secureworldexpo.com/events/index.php?id=266)

Cobb Galleria Centre, Atlanta, GA. 27-28 April 2010.

Cyber Defence 2010 (smi-online.co.uk/2010cyber17.asp)

Swissôtel, Tallinn, Estonia. 17-18 May 2010.

ISSD 2010 (issdconference.com)

Westminster Conference Centre, London. 20-21 May 2010.

www.insecuremag.com 63
 Authors: Nitesh Dhanjani, Billy Rios and Brett Hardin I Pages: 296 I Publisher: OʼReilly I
We have all been witnessing new kinds of at-
tacks emerging thanks to new technologies
and ways of using our computers and net-
works. The use of social media, an increas-
ingly mobile workforce, cloud computing -
these are just a few of the latest trends that
increase the possibility of being breached.
This book explains them all and gives you in-
sight into the techniques and mindset of to-
day's attackers.
About the authors
Nitesh Dhanjani is a well known information
security researcher and speaker. He is the
author of many books about hacking and
computer security, and is Senior Manager in
the Advisory practice At Ernst and Young.
Billy Rios is a security engineer and used to
be a penetration tester for both VeriSign and
Ernst and Young. He made his living by out-
smarting security teams, bypassing security
www.insecuremag.com
measures, and demonstrating the business
risk of security exposures.
Brett Hardin is a Security Research Lead with
McAfee. Before that, he was a penetration
tester for Ernst and Young's Advanced Secu-
rity Center assessing web application and in-
tranet security for Fortune 500 companies.
Inside the book
If there is one adjective that fits all successful
cyber attackers, it's "resourceful". They dig up
information through any means they can find
and use it effectively to reach their goal.
Whether the reason behind the attack is
vengeance, fame, political or plain, old fashion
greed, they always seem to be one step
ahead of the defenders.
But, that is not exactly true - for every attack
that succeeds, there are hundreds or thou-
sands that fail.
65
 And most of the time, they fail because they
have come up against people who have
knowledge about which attack vectors are
likely to be deployed against a network and
then securing it against them.
This book covers a lot of ground. It starts with
enlightening us about the myriad of ways an
attacker can gather information needed to
execute the attack: dumpster giving, social
engineering, scouring the social networks for
information, etc.
Everyone should be made aware that the old
division between trusted and untrusted zones
and individuals can no longer be applied, that
network protocols offer many dangers be-
cause they are were not built with security in
mind and that every application has at least
one vulnerability that can be exploited. It is not
necessary for everyone to know how to fix
these problems, but in this case, a little para-
noia goes a long way.
Zeljka Zorz is a News Editor for Help Net Security and (IN)SECURE Magazine.
www.insecuremag.com
There are all these helpful and wonderful tools
and technologies out there, and we use them
every day to work and play and run errands.
This book gives us an insight into all the bad
things that can happen - so that we can make
sure they don't.
Final thoughts
Hacking: The Next Generation is an extremely
thorough, enjoyable and easy read. The
authors aimed the book at anyone interested
in learning the techniques that attackers use
presently. I would say that it should be read by
everybody whose work depends on computers
- well, at least some of the chapters.
It says everything it should without the endless
repeating and rephrasing so that readers
would understand the concept, because it was
so clearly explained the first time. This is a
book that will get and keep your attention, and
a must-read book for everyone dealing with
computer and information security.
66
 Sandra Toms LaPedis, Area Vice President and General Manager of RSA Con-
ferences, is responsible for global promotion and successful execution, in-
cluding strategy, brand extensions, content, marketing, logistics and partner-
ships for the Conference. In this Q&A she talks about what you can expect at
RSA Conference 2010 in San Francisco.

What's new in store for attendees of RSA
Conference 2010 in San Francisco this
year?
The RSA Conference has more of what at-
tendees expect – more technical sessions,
relevant topics and case studies. Two new
class tracks have been added this year: Data
Security and Security in Practice. Sessions in
the Data Security track cover strategies, prac-
tices and technologies to classify, track and
protect sensitive data across the enterprise –
with partners, with outsourcers and with users.
The Security in Practice track will provide par-
ticipants with tangible examples of how large
enterprises solved hard security problems.
We have also enhanced two existing tracks.
Physical Security is now Physical Security and
Critical Infrastructure to include topics such as
SCADA and distributed/process control sys-
tems. Networks is now Network and Mobile
Security to include management of mobile de-
vices, mobile malware and how consumeriza-
tion impacts mobile security.
Additionally, Innovation Sandbox is back in
2010! This popular half-day program, taking
place on Monday, includes interactive white
boarding sessions, ask the experts panels,
whisper suites, a serial entrepreneur panel –
plus an exciting demo area with a "top 10"
group of start-up companies. Innovation
Sandbox – representing today's best new se-
curity solutions – culminates with a shoot-out
among the top 10 start-ups as they present
their companies and products to a judging
panel comprised of venture capital profes-
sionals, CISOs, CTOs and industry experts.

www.insecuremag.com 68
 We are also working with SANS on delivering
in-depth two-day training sessions pre-
Conference, as well as one-day sessions de-
livered by some of our best speakers. A new
Security Basics Boot Camp one-day session
has been added for those new to the field, and
focuses on the core security technologies that
will be discussed during the week.
Finally, weʼve added a new program on
Thursday evening, just before the Codebreak-
ers Bash, called Pecha Kucha (PK) Happy
Hour. Drawing its name from the Japanese
term for the sound of "chit chat," PK is a pres-
entation format that is based on a simple idea:
20 images x 20 seconds (total presentation
length: 6 minutes, 40 seconds). Presentations
can be about information security or other-
wise, and the format demands a concise, fo-
cused approach in order to keep things mov-
ing at a rapid pace!
How many attendees are you expecting for
this edition of the conference? How many
exhibitors?
As the leading information security event with
over 240 sessions, several thousand at-
tendees and over 300 exhibitors are
anticipated.
Who are the keynote speakers and what
topics are they discussing?
Executives from the leading companies in in-
formation security are keynoting, including
representatives from Microsoft Corp., RSA
(The Security Division of EMC), Symantec
Corp., CA, Inc., IBM, McAfee, Inc., PGP
Corp., Qualys, Inc. and VeriSign, Inc.
The RSA Conference perennial favorite, the
Cryptographers Panel, will be moderated
again by Ari Juels, Chief Scientist and Direc-
tor, RSA Labs, with panelists including Whit
Diffie, Visiting Professor, Royal Holloway Col-
lege, University of London, and Visiting
Scholar, Stanford University; Marty Hellman,
Professor Emeritus of Electrical Engineering,
Stanford University; Ron Rivest, the “R” in
RSA; Adi Shamir, the “S” in RSA; and Brian
Snow, Former Technical Director, NSA IAD.
Other stimulating keynotes sessions include
PW Singer, Senior Fellow and Director of the
www.insecuremag.com
21st Century Defense Initiative, Brookings In-
stitution, who will discuss, “The Robotics
Revolution and 21st Century Conflict.” And a
panel entitled “Dealing with Sophisticated
Threats in Cyberspace without Creating Big
Brother” will certainly be an interesting
discussion of competing interests.
Moderated by Forbes Magazine National Edi-
tor, Quentin Hardy, panelists include Richard
Clarke, former U.S. Cyber Security Czar; Mi-
chael Chertoff, former U.S. Secretary of the
Department of Homeland Security; and Marc
Rotenberg, privacy expert with EPIC, a re-
search center established to focus public at-
tention on emerging civil liberties issues and
to protect privacy.
What tracks and workshops would you
highlight?
Hackers and Threats has always been a
popular double track and the speaker lineup is
very impressive this year. Research Revealed
also highlights the underground economy,
new classes of vulnerabilities, exploitation
techniques, reverse engineering and how to
combat these problems. The Industry Experts
track features some of the most highly rated
speakers from previous RSA Conference
sessions.
And, as mentioned above, attendees should
be sure to attend Innovation Sandbox and the
Security Basics Boot Camp on Monday, in
addition to PK Happy Hour on Thursday.
Budgets are tight so what would you say
to companies thinking about sending their
employees to RSA Conference?
The cost of a public breach is much higher
than the costs of attending the RSA Confer-
ence. The benefits of learning from skilled
speakers, discovering innovative companies
and sharing best practices with other organi-
zations facing the same challenges is invalu-
able. Our attendees are increasingly charged
with making critical business and purchasing
decisions that impact their organizationʼs se-
curity posture – RSA Conference is the place
to find new solutions and make deals.
69
 Wireless LANs offer flexibility in accessing enterprise resources. Anyone with
a laptop or a smartphone has free access to network resources, since wire-
less systems use airwaves that extend beyond the physical perimeter of the
enterprise.

An increasing amount of incidents involving
data breaches, bandwidth stealing and denial
of service attacks on wireless networks have
made it a business requirement to deploy se-
cure, authenticated wireless networks. Secu-
rity protocols such as Wired Equivalent Pri-
vacy (WEP) and Wi-Fi Protected Access
(WPA) are outdated and it is no longer pru-
dent to expect that basic authentication and
encryption schemes such as those using pre-
shared keys are sufficient against todayʼs
more sophisticated attacks.
Even though access control through the use
of VLAN steering and ACLs has been avail-
able at a port level on Ethernet switches, in
many wireless deployments today the granu-
larity of access control has been limited to the
SSID-level VLAN, ACL and QoS settings. In
many cases, this has resulted in parallel net-
work topologies in the enterprise – one for
wireless and the other for wired access. Wire-
less network deployments must balance user
accessibility and mobility with hardened secu-
rity and a greater degree of access control.
What is required is a combination of secure
wireless clients, wireless infrastructure, and a
network policy system that supports the latest
encryption and authentication standards with
granular, per-session access control.
Wireless security and the IEEE 802.1X
standard
The most secure way of implementing wire-
less security is 802.1X, which is an IEEE
standard, used to authenticate access to both
wireless and wired networks. Enhanced secu-
rity and access control provided by 802.1X
includes support for centralized authentica-
tion, authorization, accounting and dynamic
key management. 802.1X uses the Extensible
Authentication Protocol (EAP) for message
exchange during the authentication process,
which means that it supports secure authenti-
cation methods that make use of X.509 cer-
tificates and passwords.

www.insecuremag.com 70
 There are three components involved in typi-
cal 802.1X interactions: A supplicant (on the
client device), an authenticator (on the wire-
less controller), and a backend authentication
server. A high level description of 802.1X in-
teractions follows:
1. Secure authentication. When a wireless
client (running a supplicant) attempts to con-
nect to a wireless controller, the supplicant
and the authentication server negotiate a se-
cure TLS tunnel.
In password based authentication, the client
sends credentials to the authentication server
in the secure tunnel. In certificate based
authentication, the client presents its X.509
certificate. In both cases, the wireless control-
ler forwards the packets between the suppli-
cant and the authentication server.
2. Granular enforcement. On successful
authentication, the authentication server
sends a message to the wireless controller to
permit or deny access. It can also send other
network enforcement attributes such as
VLAN, ACL, QoS, etc. Note that this enforce-
ment is applied to network traffic from the
authenticated client.
3. Dynamic keys and data encryption. At
the end of the authentication exchange, the
authentication server also sends a key (co-
derived with the supplicant during the authen-
tication exchange) to the wireless controller;
this key is then used by the supplicant and the
wireless controller to derive dynamic session
keys for data encryption.
As can be seen from the above flow, IEEE
802.1X offers a framework for:
• Performing strong authentication
• Generating dynamic keys for data encryp-
tion, and
• Enforcing granular access control in the
network.
Deploying 802.1X for employee access
Employees in enterprises typically log in from
corporate managed devices (laptops, desk-
tops). These managed devices can be config-
ured to access the network via 802.1X with
minimal effort. For a smooth transition from
www.insecuremag.com
pre-shared key based wireless access to
802.1X based access, a phased deployment
is recommended.
Phase 1 – Secure access
Step 1 - Wireless controller configuration
• Configure a subset of controllers with an
SSID that requires 802.1X-based authentica-
tion
• Configure the authentication servers on the
controller (A policy/AAA server that terminates
RADIUS/EAP protocol)
• Turn on RADIUS accounting by configuring
RADIUS accounting servers, so authentica-
tions can be tracked.
Step 2 - Policy/AAA Server Configuration
• Add the controllers that were configured in
Step 1 as RADIUS clients
• Configure the appropriate EAP methods for
user authentication. Microsoft Windows and
MAC OS X clients support the EAP-PEAP
[EAP-MSCHAPv2] method natively, so this is
a good choice for an authentication method.
Note that the authentication method you con-
figure also depends on the identity store in
which your user records are stored. Microsoft
Active Directory, for example, is compatible
with the MSCHAPv2 authentications.
• Configure the identity store for authentica-
tions. This is typically an enterprise directory
• Add a policy that permits access if authenti-
cation is successful, and denies access
•otherwise.
Step 3 - Client configuration
• Enable the native 802.1X supplicant on the
client computers. Microsoft Windows, MAC
OS X and most Linux distributions have native
support for 802.1X. Note that there are tools
available to ease this configuration process.
• Enable single sign-on. The credentials that
are entered in the login window of the OS are
used as 802.1X authentication credentials.
This is supported on both Windows and MAC
OS X based computers.
Expected benefits of a Phase 1 deployment
entail the following:
• Secure authentication of all employees
• Dynamic keys for strong wireless data en-
cryption
• Improved tracking of user access.
71
 Phase 2 - Differentiated access
Once Phase 1 is fully deployed, granular ac-
cess control based on roles of the employees
can be implemented. Depending on how your
network is configured and the capabilities of
your wireless controller, granular access con-
trol can range from role-based network seg-
mentation (VLAN), Access Control List (ACL)
and Qualify of Service (QoS), to a per-user
stateful firewall.
If the right network design is in place, this
phase requires configuration only on the
policy/AAA server:
• Configure policy server to extract user at-
tributes from the identity store. The extracted
identity attribute can be group, department,
title or any other attribute associated with
user.
• Configure policies to send access control
primitives (VLAN, ACL, etc.) to the wireless
controller, based on one or more of the ex-
tracted identity attributes.
The benefit of deploying phase 2 is that users
get access to network resources based on
their role in the organization. As users move
around in the network, from building to build-
ing, their access permissions follow them
around.
Phase 3 - Advanced access control
Differentiated access deployed in Phase 2
can be further enhanced by taking into con-
sideration other identity, health or session
based attributes. For example, the following
are some of the attributes commonly used to
provide a finer degree of differentiated ac-
cess:
• Time of day
• Location
• Access type (wireless, wired)
• Device OS and type (laptop vs. handheld)
• Device health (Anti-Virus, Anti-Spyware)
checks. Device health can be collected and
evaluated by:
" • An agent that is available in the OS
(such as the Microsoft NAP Agent that is
available with the Windows XP SP3, Windows
Vista and Windows 7)
" • A vendor-specific permanent agent.
www.insecuremag.com
Machine Authentication (extending em-
ployee access to include known devices)
In many enterprises, devices that the user
logs in from must be corporate approved de-
vices. Machine authentication can be done
alongside with 802.1 X-based user authenti-
cations, and tied together by the backend pol-
icy system. Machine authentication can be
done by verifying the presence of a machineʼs
MAC address in an inventory database, or by
performing a separate 802.1X machine
authentication against an identity store that
has the “computer” account (For example, Mi-
crosoft Windows computer accounts in Active
Directory).
Tackling guest access
Guests typically get a temporary username
and password to log into the network. They
are given restricted privileges to the network –
typically only Internet access. Since 802.1X
requires computer configuration, enterprises
typically do not enforce 802.1X-based access
for guests. So how is a wireless guest access
handled?
Guest access configuration steps are outlined
below:
Step 1 - Wireless controller configuration
• Configure a guest SSID on the wireless con-
trollers
• Optional data encryption can be configured
by requiring a WPA2 pre-shared key (which is
handed out to the guest, along with the tem-
porary username and password)
• Access control for this SSID can be statically
configured (unless different guests get differ-
ent levels of access, in which case policies
need to be configured on the Policy/AAA
server)
• Configure the authentication servers on the
controller (A policy/AAA server that terminates
RADIUS protocol)
• Most controllers have a built-in guest portal
that acts as a captive portal. The look and feel
of this portal can be customized. Most control-
lers also have support for a portal hosted on
an external “guest system”. This latter con-
figuration has several advantages:
" • A Portal can be used for wired, wireless
and VPN use cases.
72
 " • Support for health checks by means of
a dissolvable agent loaded through the portal.
" • Portal customization can be on a cen-
tral server, without having to distribute it to
multiple controllers.
" • Ability to support a single landing page
and multiple portals (guest, contractor, part-
ner, employee portals, for example) by attach-
ing to a single SSID.
Step 2 - Policy/AAA server configuration
• Add the controllers that were configured in
Step 1 as RADIUS clients
• Configure the identity store for authentica-
tions. This is typically the database that is
resident on the server
• Configure sponsor accounts that allow per-
mission to add guest accounts in the local da-
tabase
• Add a policy that permits access if authenti-
cation is successful, and denies access oth-
erwise. If granular access is required, config-
ure policies appropriately.
In this flow, when guests associate with the
“guest” SSID and bring up a browser and visit
any web site, they are redirected to the cap-
tive portal. They enter their credentials and
get access.
Handling unmanaged device access
Unmanaged devices are those that are not
managed by the enterprise. Laptops or other
computing devices brought in by guests can
be handled as described in the previous sec-
tion. Access policies for other unmanaged de-
vices – for example, those brought in by em-
ployees – can be handled in multiple ways:
• Users can register these devices (typically, a
function provided by the policy server). Once
registered, these devices are allowed access
into the network based on their MAC address.
Any device that is not in the MAC address da-
tabase is denied access.
" • Some policy servers also have the ca-
pability to perform device fingerprinting (by
port scanning or by using the services of an
external device profiler). The access policy
then takes into account both the MAC ad-
dress and the device fingerprinting informa-
tion. This makes MAC address spoofing much
harder.
www.insecuremag.com
" • Unmanageable devices such as wire-
less printers and VoIP phones can also be
given access by combining MAC address
authentication with device fingerprinting.
• Some devices such as the iPhone, Droid,
Nexus One, etc., natively support 802.1X.
These devices can be given access to the
network if an enterprise user authenticates
from these devices. The other option is to
have these devices go through a registration
process, which registers their MAC address in
a database. Once registered, employees can
access the network using 802.1X. (This en-
sures that employee is accessing the network
from a known and approved device).
Unmanaged device access configuration
steps are outlined below:
Step 1 - Wireless controller configuration
• Configure an SSID with MAC filtering en-
abled
•Optional data encryption can be configured
by requiring a WPA2 pre-shared key
•Access control for this SSID can be statically
configured (unless different device types re-
quire different levels of access to the network)
•Configure the authentication servers on the
controller (A policy/AAA server that terminates
RADIUS protocol).
Step 2 - Policy/AAA server configuration
• Add the controllers that were configured in
Step 1 as RADIUS clients
• Configure the identity store or white lists for
MAC-based authentications. This is typically
the database that is resident on the server
(An external device profiler that supports
LDAP can also be used as identity store.)
• Add a policy that permits access if authenti-
cation is successful, and denies access oth-
erwise. If granular access based on device
type is required, configure policies appropri-
ately.
802.1X client-side deployment considera-
tions
When deploying 802.1X-based authentication,
a few deployment hurdles need to be taken
into account.
Modern operating systems have native sup-
port for 802.1X, both for wired and wireless
access.
73
 However, when rolling out 802.1X enterprise-
wide, these supplicants need to be configured
with the right parameters (such as EAP
method, single sign on, machine authentica-
tion, CA certificate, fast-reconnect, to name a
few). This is a tall order for most end users.
In Microsoft Windows-only environments that
use Active Directory-based authentication, a
Group Policy Object (GPO) that configures
these parameters can be provisioned. When
the user logs in, the GPO is pushed to the cli-
ent and the 802.1X parameters are automati-
cally configured. There are also third-party
wizards that are not limited to deploying
802.1X in Windows-only environments.
802.1X configuration for MAC OS X, Linux
and some smart phones can also be de-
ployed. The goal is provide the IT team and
user with a trusted method for configuring an
endpoint and making that first 802.1X connec-
tion.
Conclusion
As enterprises increasingly rely on wireless
networks throughout their infrastructure as a
standard business practice, network adminis-
trators must address the security issues that
accompany the technology. With the emer-
gence of the 802.1X standard, most network-
ing equipment now offers the basic tools to
address secure wireless access with a finer
degree of control.
In closing, without a strategy and the proper
tools to manage these controls, security ad-
ministration becomes expensive, time con-
suming, and potentially unreliable. The idea is
to think big, but definitely use a phased or
adaptive deployment model that meets your
immediate needs.

Santhosh Cheeniyil is the Founder and VP of Engineering of Avenda Systems (www.avendasys.com). He has
over 19 years of product design, development and management experience in the computer industry. Prior to
co-founding Avenda Systems, Santhosh was at Cisco Systems for over 7 years, where he was a Senior Man-
ager and Technical Leader in security, voice and network management technology groups; he led the design
and development of several successful products in the VoIP and network management areas. He was a
Principal Engineer at Devsoft Corporation, which was acquired by Cisco in 1998.

www.insecuremag.com 74
 Sectool (www.net-security.org/software.php?id=700)
Sectool is a security tool for RPM based distributions. It can be used for security auditing and in-
trusion detection.

FreeRADIUS (www.net-security.org/software.php?id=193)
The FreeRADIUS Server Project is a high-performance and highly configurable RADIUS server. It
includes plug-in modules with support for MySQL, PostgreSQL, Oracle, IODBC, IBM DB2, MS-
SQL, Sybase, LDAP, Kerberos, EAP, PAM, MS-CHAP and MPPE, Digest authentication, Python,
X9.9, and many more.

Lansweeper (www.net-security.org/software.php?id=739)
Lansweeper is a powerful freeware solution to make a complete software, hardware, asset inven-
tory of your Windows network.

Tunnelier (www.net-security.org/software.php?id=181)
Tunnelier is a powerful SSH2 port forwarding client with many features.

www.insecuremag.com 76
 As the breaches at Heartland Payment Processing Systems and Hannaford
Brothers have demonstrated, compliance with the Payment Card Industry
Data Security Standard (PCI DSS) does not guarantee bulletproof security. Fa-
vorable performance in an annual On-Site PCI Data Security Assessment or
Self-Assessment Questionnaire (SAQ) is simply a snapshot of a companyʼs
status at one point in time and not proof of ongoing compliance. For example,
Hannaford Bros received its PCI DSS compliance certification one day after it
had been made aware of a two-month long breach of its network.

The PCI Security Standards Council says that
“compliance efforts must be a continuous
process of assessment and remediation to
ensure safety of cardholder data.”
Given this advice, as well as the examples of
post-compliancy breaches, the global retail
community and its service suppliers have
been propelled into a new era for PCI DSS
compliance management. Not only must the
retailer, bank or payment processor achieve
compliance at a fixed point in time, it must
also implement specific programs to manage
and maintain compliance on an ongoing basis.
The concept of “Continuous Compliance”
helps these market constituents save money
on SAQs and audit / certification fees by
Qualifies Security Assessors (QSAs).
With cybercriminals becoming ever more in-
ventive, approaching PCI compliance with a
project mentality with the simple goal of pass-
ing the audit falls well short of actually attain-
ing a secure operation. Ideally, a retailer
should know its PCI DSS compliance status
on a daily basis, be able to adapt to updates in
the standard, and ensure that employees are
educated on security policies and are follow-
ing them.

www.insecuremag.com 77
 To achieve this, retailers must shift their view
of security and compliance from a checklist
mentality for passing an audit to a state of
continuous IT security.
Permanent and uncompromising process dis-
cipline must be instituted on the data security
domain to achieve consistent, effective protec-
tion for the sensitive and confidential customer
information collected and stored.
While this may sound like a daunting task—e-
specially for smaller retail merchants—using
an automated IT Governance, Risk and Com-
pliance (IT GRC) solution provides the type of
information and the security framework
PERMANENT AND UNCOMPROMISING PROCESS DISCIPLINE MUST BE
INSTITUTED ON THE DATA SECURITY DOMAIN TO ACHIEVE CONSISTENT,
EFFECTIVE PROTECTION FOR THE SENSITIVE AND CONFIDENTIAL
CUSTOMER INFORMATION COLLECTED AND STORED.
The information security policy
While many retailers approach PCI DSS com-
pliance as a technology problem, itʼs just as
much a people problem. Simply installing the
best firewall and encryption technologies is
just the first part of the solution. Following IT
security best practices and establishing a writ-
ten security policy is the next step, but if em-
ployees arenʼt following those policies the or-
ganization remains vulnerable. According to
Deloitteʼs “The 6th Annual Global Security
Survey,” “people are the problem.”
The report states that, “Human error is over-
whelmingly stated as the greatest weakness
this year (86%), followed by technology (a dis-
tant 63%).” The Computing Technology Indus-
try Association, Inc. (CompTIA) echoes that
assessment in its "Committing to Security: A
CompTIA Analysis of IT Security and the
Workforce," survey stating that, “Human error,
not technology, is the most significant cause of
IT security breaches.”
To reduce security risk cause by human error,
a retailer must have a process for distributing
its IT security policy and ensuring that each
employee has read and understands the pol-
www.insecuremag.com
needed for achieving and sustaining a high
level of continuous compliance—and security.
The GRC model
"GRC" refers to a class of automated systems
that help organizations integrate and control
the management of complex regulatory man-
dates and operational risk in alignment with
appropriate high level company governance.
GRC is a strategic approach to the universal
concept of compliance. It can help retailers
meet PCI compliance requirements as well as
providing a controls management framework
to protect other types of customer-confidential
information.
icy and acknowledges their responsibility in
protecting the organizationʼs information and
data. GRC systems have Security Awareness
modules make it easy for retailers to educate
employees on general IT security practices
and internal IT security policies. The Aware-
ness module also tracks who takes each
course and records test scores.
Business continuity planning
The impact of a data breach can be devastat-
ing. IT GRC systems include a Business Con-
tinuity Planning (BCP) component that pro-
vides retailers with a single source repository
for the guidance, information and plans nec-
essary to respond to a data breach incident.
Continuous PCI compliance for small mer-
chants
Smaller merchants are an appealing target for
cybercriminals because they often do not have
the expertise to properly secure card holder
data. A GRC tool delivered as “Software as a
Service” (SaaS), hosted at a remote location
and delivered over the Internet, makes it af-
fordable and adaptable for any size merchant.
78
 Technological complexities achieving PCI
compliance
The GRC model provides a centralized auto-
mated compliance workflow management and
tracking system to handle the enormous num-
ber of tasks that need to be performed, coor-
dinated and analyzed to achieve PCI DSS
compliance and pass audits. Without auto-
mated management, control and oversight of
the total process of PCI compliance becomes
highly inefficient and costly.
The many moving parts of PCI DSS
compliance
PCI DSS compliance is an ongoing manage-
ment challenge caused by changes in busi-
ness processes and technology, vendor-
supplied and third-party processor systems,
and security threats. In addition, the PCI stan-
dard evolves on a regular basis. Automated IT
GRC tools enable retailers to respond to
change by improving the planning cycle and
by organizing the relationships among poli-
cies, people, technology controls and risk in-
formation.
Joseph Dell is president of Lightwave Security (www.lightwvesecurity.com), an Atlanta-based GRC solution
provider and exclusive North American distributor for SecureAware. He can be reached at
jdell@lightwavesecurity.com.
www.insecuremag.com
Cross-organizational coordination
A GRC systemʼs compliance workflow capabil-
ity allows retailers to delegate specific security
assignments to different employees across the
organization, and to define specific completion
dates or specific intervals for repetitive tasks
for each technology control or business proc-
ess to meet the PCI DSS requirement to as-
sign tasks and accountability.
Total PCI compliance oversight
IT GRC solutions provide total oversight of the
entire PCI compliance process, including
technology-based components. It is an auto-
mated workflow optimized to manage and
monitors event and feedback information from
multiple components with an at-a-glance
summary, and assess and report on these
controls in every form needed, from installa-
tion to the results produced. Automated IT
GRC tools can help retailers achieve a new
level of security by creating a framework for
continuous data security improvement and
PCI DSS compliance while reducing the costs
of compliance.
79